Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-9486

Summary
Assigner-kubernetes
Assigner Org ID-a6081bf6-c852-4425-ad4f-a67919267565
Published At-15 Oct, 2024 | 20:33
Updated At-16 Oct, 2024 | 18:56
Rejected At-
Credits

VM images built with Image Builder and Proxmox provider use default credentials

A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project with its Proxmox provider.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:kubernetes
Assigner Org ID:a6081bf6-c852-4425-ad4f-a67919267565
Published At:15 Oct, 2024 | 20:33
Updated At:16 Oct, 2024 | 18:56
Rejected At:
▼CVE Numbering Authority (CNA)
VM images built with Image Builder and Proxmox provider use default credentials

A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project with its Proxmox provider.

Affected Products
Vendor
KubernetesKubernetes
Product
Image Builder
Repo
https://github.com/kubernetes-sigs/image-builder
Default Status
unaffected
Versions
Affected
  • From 0 through 0.1.37 (semver)
Unaffected
  • 0.1.38
Problem Types
TypeCWE IDDescription
CWECWE-798CWE-798 Use of Hard-coded Credentials
Type: CWE
CWE ID: CWE-798
Description: CWE-798 Use of Hard-coded Credentials
Metrics
VersionBase scoreBase severityVector
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-395CAPEC-395 Bypassing Electronic Locks and Access Controls
CAPEC ID: CAPEC-395
Description: CAPEC-395 Bypassing Electronic Locks and Access Controls
Solutions

Rebuild any affected images using a fixed version of Image Builder. Re-deploy the fixed images to any affected VMs.

Configurations
Workarounds

Prior to upgrading, this vulnerability can be mitigated by disabling the builder account on affected VMs: usermod -L builder

Exploits
Credits
reporter
Nicolai Rybnikar @rybnico from Rybnikar Enterprises GmbH.
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/kubernetes/kubernetes/issues/128006
vendor-advisory
issue-tracking
https://github.com/kubernetes-sigs/image-builder/pull/1595
patch
https://groups.google.com/g/kubernetes-security-announce/c/UKJG-oZogfA/m/Lu1hcnHmAQAJ
mailing-list
Hyperlink: https://github.com/kubernetes/kubernetes/issues/128006
Resource:
vendor-advisory
issue-tracking
Hyperlink: https://github.com/kubernetes-sigs/image-builder/pull/1595
Resource:
patch
Hyperlink: https://groups.google.com/g/kubernetes-security-announce/c/UKJG-oZogfA/m/Lu1hcnHmAQAJ
Resource:
mailing-list
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Vendor
Kuberneteskubernetes
Product
image_builder
CPEs
  • cpe:2.3:a:kubernetes:image_builder:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 before 0.1.38 (semver)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:jordan@liggitt.net
Published At:15 Oct, 2024 | 21:15
Updated At:08 Nov, 2024 | 20:56

A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project with its Proxmox provider.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches
Kubernetes
kubernetes
>>image_builder>>Versions before 0.1.38(exclusive)
cpe:2.3:a:kubernetes:image_builder:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-798Primarynvd@nist.gov
CWE-798Secondaryjordan@liggitt.net
CWE ID: CWE-798
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-798
Type: Secondary
Source: jordan@liggitt.net
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/kubernetes-sigs/image-builder/pull/1595jordan@liggitt.net
Patch
https://github.com/kubernetes/kubernetes/issues/128006jordan@liggitt.net
Issue Tracking
https://groups.google.com/g/kubernetes-security-announce/c/UKJG-oZogfA/m/Lu1hcnHmAQAJjordan@liggitt.net
Vendor Advisory
Hyperlink: https://github.com/kubernetes-sigs/image-builder/pull/1595
Source: jordan@liggitt.net
Resource:
Patch
Hyperlink: https://github.com/kubernetes/kubernetes/issues/128006
Source: jordan@liggitt.net
Resource:
Issue Tracking
Hyperlink: https://groups.google.com/g/kubernetes-security-announce/c/UKJG-oZogfA/m/Lu1hcnHmAQAJ
Source: jordan@liggitt.net
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

0Records found
Details not found