[SECURITY-L] [oss-security] [kubernetes] CVE-2024-9486 and CVE-2024-9594: VM images built with Kubernetes Image Builder use default credentials

Segunda Outubro 14 14:51:32 -03 2024

Hello Kubernetes Community,

A security issue was discovered in Kubernetes where an unauthorized user
may be able to ssh to a node VM which uses a VM image built with the
Kubernetes Image Builder project (
https://github.com/kubernetes-sigs/image-builder).

For images built with the Proxmox provider, this issue has been rated
Critical (
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
)
(9.8), and assigned CVE-2024-9486.

For images built with the Nutanix, OVA, QEMU or raw providers, this issue
has been rated Medium (
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
)
(6.3), and assigned CVE-2024-9594.

Am I vulnerable?

Clusters using virtual machine images built with Kubernetes Image Builder (
https://github.com/kubernetes-sigs/image-builder) version v0.1.37 or
earlier are affected.

CVE-2024-9486: VMs using images built with the Proxmox provider are
confirmed to be vulnerable.

CVE-2024-9594: VMs using images built with the Nutanix, OVA, QEMU or raw
providers were vulnerable during the build process and are affected only if
an attacker was able to reach the VM where the image build was happening
and used the vulnerability to modify the image at the time the image build
was occurring.

VMs using images built with all other providers are not affected.

To determine the version of Image Builder you are using, use one of the
following methods:

* For git clones of the image builder repository:
    cd <local path to image builder repo>

    make version

* For installations using a tarball download:
    cd <local path to install location>

    grep -o v0\\.[0-9.]* RELEASE.md | head -1

* For a container image release:

    docker run --rm <image pull spec> version
  or
    podman run --rm <image pull spec> version

  or look at the image tag specified, in the case of an official image such
as
registry.k8s.io/scl-image-builder/cluster-node-image-builder-amd64:v0.1.37

How do I mitigate this vulnerability?

Rebuild any affected images using a fixed version of Image Builder.
Re-deploy the fixed images to any affected VMs.

Prior to upgrading, this vulnerability can be mitigated by disabling the
builder account on affected VMs:

usermod -L builder

Fixed Versions

Kubernetes Image Builder versions >= v0.1.38

Detection

The linux command "last builder" can be used to view logins to the affected
"builder" account.

If you find evidence that this vulnerability has been exploited, please
contact security em kubernetes.io

Additional Details

See the GitHub issues for more details:

https://github.com/kubernetes/kubernetes/issues/128006

https://github.com/kubernetes/kubernetes/issues/128007

Acknowledgements

This vulnerability was reported by Nicolai Rybnikar @rybnico from Rybnikar
Enterprises GmbH.

The issue was fixed and coordinated by Marcus Noble of the Image Builder
project.

Thank You,

Joel Smith on behalf of the Kubernetes Security Response Committee
===
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - Unicamp
Centro de Computacao - CCUEC
GnuPG Public Key: http://www.security.unicamp.br/security.asc [^]
Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20241014/6d6b0693/attachment.html>