Critical Kubernetes Flaw Exposes VMs to Root-Level SSH Attacks
A critical vulnerability in Kubernetes, tracked as CVE-2024-9486, could enable unauthorized SSH access to virtual machines (VMs) created using the Kubernetes Image Builder project. Kubernetes, an open-source platform that automates container management, allows users to create VMs with Image Builder for different Cluster API (CAPI) providers, such as Proxmox or Nutanix, which are then used to form the nodes in a Kubernetes cluster.
Vulnerability Overview
The vulnerability affects VM images built with the Proxmox provider on Image Builder version 0.1.37 or earlier. The flaw stems from default credentials that remain enabled after the image-building process is completed. An attacker aware of this issue could exploit it to gain SSH access with root privileges to vulnerable VMs by using these credentials.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Impacted Providers and Severity
- Proxmox (Critical, CVE-2024-9486): The vulnerability in Proxmox-built images is considered critical because it directly allows root access over SSH once the attacker connects using default credentials.
- Nutanix, OVA, QEMU, and raw providers (Medium, CVE-2024-9594): The issue is present in these providers as well, but the attack requires additional conditions to exploit successfully. Specifically, an attacker needs access to the image-creating VM during the build process and must perform actions to ensure that the default credentials persist for future access.
Impact of the Vulnerability
If exploited, the vulnerability could allow a threat actor to gain full control of a virtual machine running in a Kubernetes cluster. This could result in serious security breaches, including:
- Data exfiltration
- System takeover
- Lateral movement within the Kubernetes cluster
- Disruption of services
Trending: OSINT Tool: cloud_enum
Mitigation
Permanent Fix:
The Kubernetes community has issued a fix in Kubernetes Image Builder version 0.1.38 or later. This version:
- Sets a randomly generated password during the image-building process.
- Disables the default “builder” account after the image build is complete, preventing unauthorized access via default credentials.
Temporary Workaround:
If upgrading to version 0.1.38 or later is not immediately possible, a temporary solution is to manually disable the builder account by running the following command on the affected VM:
This will lock the “builder” account, preventing further access.
Checking if Your System is Affected
Users are advised to verify whether their systems are vulnerable by inspecting VM images created with Kubernetes Image Builder for Proxmox or other providers. The advisory on the Kubernetes community forums and the linked GitHub page provide more information on how to check affected systems and apply mitigations.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
