Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAEftUapV2VARqJBVpugRkKX0CPnxz=EYOpPzuAg29aYhHJPzSg@mail.gmail.com>
Date: Mon, 14 Oct 2024 09:24:28 -0600
From: Joel Smith <joelsmith@...hat.com>
To: oss-security@...ts.openwall.com
Subject: [kubernetes] CVE-2024-9486 and CVE-2024-9594: VM images built with
 Kubernetes Image Builder use default credentials

Hello Kubernetes Community,

A security issue was discovered in Kubernetes where an unauthorized user
may be able to ssh to a node VM which uses a VM image built with the
Kubernetes Image Builder project (
https://github.com/kubernetes-sigs/image-builder).

For images built with the Proxmox provider, this issue has been rated
Critical (
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
(9.8), and assigned CVE-2024-9486.

For images built with the Nutanix, OVA, QEMU or raw providers, this issue
has been rated Medium (
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H)
(6.3), and assigned CVE-2024-9594.

Am I vulnerable?

Clusters using virtual machine images built with Kubernetes Image Builder (
https://github.com/kubernetes-sigs/image-builder) version v0.1.37 or
earlier are affected.

CVE-2024-9486: VMs using images built with the Proxmox provider are
confirmed to be vulnerable.

CVE-2024-9594: VMs using images built with the Nutanix, OVA, QEMU or raw
providers were vulnerable during the build process and are affected only if
an attacker was able to reach the VM where the image build was happening
and used the vulnerability to modify the image at the time the image build
was occurring.

VMs using images built with all other providers are not affected.

To determine the version of Image Builder you are using, use one of the
following methods:

* For git clones of the image builder repository:
    cd <local path to image builder repo>

    make version

* For installations using a tarball download:
    cd <local path to install location>

    grep -o v0\\.[0-9.]* RELEASE.md | head -1

* For a container image release:

    docker run --rm <image pull spec> version
  or
    podman run --rm <image pull spec> version

  or look at the image tag specified, in the case of an official image such
as
registry.k8s.io/scl-image-builder/cluster-node-image-builder-amd64:v0.1.37

How do I mitigate this vulnerability?

Rebuild any affected images using a fixed version of Image Builder.
Re-deploy the fixed images to any affected VMs.

Prior to upgrading, this vulnerability can be mitigated by disabling the
builder account on affected VMs:

usermod -L builder

Fixed Versions

Kubernetes Image Builder versions >= v0.1.38

Detection

The linux command "last builder" can be used to view logins to the affected
"builder" account.

If you find evidence that this vulnerability has been exploited, please
contact security@...ernetes.io

Additional Details

See the GitHub issues for more details:

https://github.com/kubernetes/kubernetes/issues/128006

https://github.com/kubernetes/kubernetes/issues/128007

Acknowledgements

This vulnerability was reported by Nicolai Rybnikar @rybnico from Rybnikar
Enterprises GmbH.

The issue was fixed and coordinated by Marcus Noble of the Image Builder
project.

Thank You,

Joel Smith on behalf of the Kubernetes Security Response Committee

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.