A critical security flaw has been discovered in Kubernetes Image Builder that, if successfully exploited, could be used to gain root access under certain circumstances.
Vulnerability, tracked as CVE-2024-9486 (CVSS score: 9.8), considered in version 0.1.38. The project maintainers thanked Mykola Rybnikar for discovering and reporting the vulnerability.
“A security issue has been identified in Kubernetes Image Builder where default credentials are enabled during the image build process,” Joel Smith of Red Hat said in the notice.
“Additionally, virtual machine images created using the Proxmox provider do not disable these default credentials, and nodes using the resulting images can be accessed through these default credentials. Credentials can be used to gain root access.”
However, Kubernetes clusters are only affected by the flaw if their nodes use virtual machine (VM) images created through the Image Builder project with the Proxmox vendor.
As a temporary mitigation, it was recommended to disable the designer account on the affected VMs. Users are also advised to restore damaged images using a fixed version of Image Builder and redeploy them to virtual machines.
A fix introduced by the Kubernetes team avoids the default credentials for a randomly generated password that is set at image build time. Additionally, the builder account is disabled at the end of the image creation process.
Kubernetes Image Builder version 0.1.38 also addresses a related question (CVE-2024-9594, CVSS score: 6.3) regarding default credentials when image builds are built using Nutanix, OVA, QEMU, or raw providers.
The lower severity level for CVE-2024-9594 results from the fact that virtual machines that use images created using these providers only affected “if an attacker was able to reach the virtual machine where the image build was taking place and used the vulnerability to modify the image while the image build was taking place.”
This development comes after Microsoft released server patches for three critical vulnerabilities in Dataverse, Imagine Cup and Power Platform that could lead to elevation of privilege and information disclosure –
- CVE-2024-38139 (CVSS Score: 8.7) – Improper authentication to Microsoft Dataverse allows an authorized attacker to elevate network privileges
- CVE-2024-38204 (CVSS Score: 7.5) – Improper access controls in Imagine Cup allow an authorized attacker to elevate network privileges
- CVE-2024-38190 (CVSS Score: 8.6) – Lack of authorization in Power Platform allows an unauthenticated attacker to view sensitive information via a network attack vector
It also follows the disclosure of a critical vulnerability in the open-source enterprise search engine Apache Solr (CVE-2024-45216, CVSS score: 9.8) that could open the way for authentication to be bypassed in vulnerable cases.
“A false end at the end of any Solr API URL path will allow requests to bypass authentication while maintaining the API contract with the original URL path”, GitHub consultation for the shortcomings of states. “This fake endpoint looks like an unsecured API path, however it is removed internally after authentication but before API routing.”
The issue affecting Solr versions 5.3.0 to 8.11.4 and 9.0.0 to 9.7.0 has been fixed in versions 8.11.4 and 9.7.0 respectively.
