CVE-2024-9486: Critical Kubernetes Image Builder Flaws Exposed
- [01] Attackers can gain root access to virtual machines by exploiting hardcoded credentials in images created via Kubernetes Image Builder.
- [02] Impacted systems include VM images built for Nutanix, Proxmox, and vSphere using Kubernetes Image Builder versions prior to v0.1.38.
- [03] Defenders must update Image Builder to version v0.1.38 or later and rebuild all existing virtual machine images immediately.
A critical security advisory has been released regarding several high-impact vulnerabilities affecting the Kubernetes Image Builder project. According to details shared in the SANS ISC Diary 32928, these flaws allow for Privilege Escalation and unauthorized access due to the inclusion of hardcoded credentials in the virtual machine (VM) images generated by the tool. The most severe of these, CVE-2024-9486, carries a CVSS score of 9.8 and primarily impacts images built for Proxmox and vSphere environments.
Technical Analysis of Kubernetes Image Builder Vulnerabilities
The Kubernetes Image Builder project is a widely used utility designed to create VM images across multiple infrastructure providers using Packer. The primary issue stems from the way the tool handles the default ‘builder’ account during the image creation process. In affected versions, the builder account—which is granted root-level permissions to configure the OS—is not properly removed or secured after the build process completes. Consequently, any VM instantiated from these images contains a functional account with a known, hardcoded password.
This flaw allows an unauthenticated attacker with network access to the VM to log in via SSH or a console interface. Once logged in, the attacker can achieve full administrative control, facilitating Lateral Movement within the cluster or the underlying infrastructure. While CVE-2024-9486 is the most critical, CVE-2024-9487 represents a similar risk for images built specifically for the Nutanix provider, although it is rated slightly lower at CVSS 8.3 due to configuration differences in how Nutanix images are typically deployed.
How to Detect CVE-2024-9486 Exploit via Log Analysis
Security teams should focus on identifying unauthorized use of the ‘builder’ account across their VM inventory. To determine if an environment is at risk, administrators should check the /etc/passwd and /etc/shadow files on active nodes for the presence of the ‘builder’ username. To specifically address the question of how to detect CVE-2024-9486 exploit attempts, organizations should ingest SSH authentication logs into their SIEM and look for successful logins from this specific account. Correlating these logins with unexpected source IP addresses or EDR alerts indicating suspicious root-level shell activity can help confirm an active compromise.
Kubernetes Image Builder v0.1.38 Patch Guidance
The project maintainers have released a fix in version v0.1.38. This update ensures that the temporary ‘builder’ account is properly cleaned up or disabled before the final image is finalized. For organizations currently utilizing these automated build pipelines, following the Kubernetes Image Builder v0.1.38 patch guidance is non-negotiable. Merely updating the tool is insufficient; all existing VM images must be rebuilt using the patched version, and currently running VMs must be replaced or manually remediated.
If immediate redeployment is not feasible, administrators should mitigate CVE-2024-9487 Nutanix exploit and Proxmox risks by manually disabling the ‘builder’ account. This can be achieved by running passwd -l builder or removing the user entirely. Furthermore, security practitioners should apply MITRE ATT&CK principles by enforcing strict ingress network security groups to block SSH access from the public internet, reducing the attack surface for this CVE.
Advertisement