Hello Kubernetes Community,
A security issue was discovered in Kubernetes where an unauthorized user may be able to ssh to a node VM which uses a VM image built with the Kubernetes Image Builder project (https://github.com/kubernetes-sigs/image-builder).
For images built with the Proxmox provider, this issue has been rated Critical (https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (9.8), and assigned CVE-2024-9486.
For images built with the Nutanix, OVA, QEMU or raw providers, this issue has been rated Medium (https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H) (6.3), and assigned CVE-2024-9594.
Am I vulnerable?
Clusters using virtual machine images built with Kubernetes Image Builder (GitHub - kubernetes-sigs/image-builder: Tools for building Kubernetes disk images) version v0.1.37 or earlier are affected.
CVE-2024-9486: VMs using images built with the Proxmox provider are confirmed to be vulnerable.
CVE-2024-9594: VMs using images built with the Nutanix, OVA, QEMU or raw providers were vulnerable during the build process and are affected only if an attacker was able to reach the VM where the image build was happening and used the vulnerability to modify the image at the time the image build was occurring.
VMs using images built with all other providers are not affected.
To determine the version of Image Builder you are using, use one of the following methods:
- For git clones of the image builder repository:
cd
make version
- For installations using a tarball download:
cd
grep -o v0\.[0-9.]* RELEASE.md | head -1
- For a container image release:
docker run --rm version
or
podman run --rm version
or look at the image tag specified, in the case of an official image such as registry.k8s.io/scl-image-builder/cluster-node-image-builder-amd64:v0.1.37
How do I mitigate this vulnerability?
Rebuild any affected images using a fixed version of Image Builder. Re-deploy the fixed images to any affected VMs.
Prior to upgrading, this vulnerability can be mitigated by disabling the builder account on affected VMs:
usermod -L builder
Fixed Versions
Kubernetes Image Builder versions >= v0.1.38
Detection
The linux command “last builder” can be used to view logins to the affected “builder” account.
If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io
Additional Details
See the GitHub issues for more details:
https://github.com/kubernetes/kubernetes/issues/128006
https://github.com/kubernetes/kubernetes/issues/128007
Acknowledgements
This vulnerability was reported by Nicolai Rybnikar @rybnico from Rybnikar Enterprises GmbH.
The issue was fixed and coordinated by Marcus Noble of the Image Builder project.
Thank You,
Joel Smith on behalf of the Kubernetes Security Response Committee