CVE-2024-9486
Use of Hard-coded Credentials (CWE-798)
Published: Oct 15, 2024 / Updated: 35d ago

010

CVSS 9.8EPSS 0.05%Critical

CVE info copied to clipboard

Summary

A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project with its Proxmox provider.

Impact

This vulnerability allows attackers to gain unauthorized root access to affected Kubernetes nodes. The impact is severe, as it could lead to complete compromise of the affected nodes, potentially allowing attackers to execute arbitrary code, access sensitive data, or use the compromised nodes as a stepping stone for further attacks within the cluster. Given the CVSS base score of 9.8 (Critical), this vulnerability poses a significant risk to the confidentiality, integrity, and availability of affected systems.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Users should upgrade to Kubernetes Image Builder version > v0.1.37, which addresses this vulnerability.

Mitigation

1. Immediately upgrade Kubernetes Image Builder to a version higher than v0.1.37. 2. Rebuild all virtual machine images created with the vulnerable versions of Kubernetes Image Builder using the Proxmox provider. 3. Replace any nodes in Kubernetes clusters that were created using the affected images. 4. Implement strong access controls and network segmentation to limit potential damage if exploitation occurs. 5. Regularly audit and rotate credentials, especially for critical systems and components. 6. Monitor for any suspicious activities or unauthorized access attempts on Kubernetes nodes.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9486. See article

Oct 14, 2024 at 4:56 PM / r/kubernetes+openshift

CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 14, 2024 at 4:56 PM

CVE Assignment

NVD published the first details for CVE-2024-9486

Oct 15, 2024 at 9:15 PM

CVSS

A CVSS base score of 9.8 has been assigned.

Oct 15, 2024 at 9:20 PM / nvd

Vendor Advisory

GitHub Advisories released a security advisory.

Oct 15, 2024 at 9:30 PM

EPSS

EPSS Score was set to: 0.05% (Percentile: 16.4%)

Oct 16, 2024 at 11:00 AM

Threat Intelligence Report

CVE-2024-9486 is a critical vulnerability with a CVSS score of 9.8 that affects images built with the Proxmox provider, allowing attackers to gain root access to virtual machines by exploiting default credentials retained during the image build process. To mitigate this vulnerability, it is recommended to disable the “builder” account on affected virtual machines using the command ‘usermod -L builder’. There is no information provided regarding exploitation in the wild, proof-of-concept exploits, or downstream impacts on other third-party vendors. See article

Oct 16, 2024 at 11:07 AM

Vendor Advisory

RedHat CVE advisory released a security advisory (CVE-2024-9486).

Oct 16, 2024 at 6:30 PM

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (5001297)

Oct 17, 2024 at 7:53 AM