CVE-2024-9594

Use of Hard-coded Credentials (CWE-798)

Published: Oct 15, 2024 / Updated: 35d ago

010
CVSS 8.1EPSS 0.05%High
CVE info copied to clipboard

Summary

A security vulnerability has been identified in Kubernetes Image Builder versions 0.1.37 and earlier. This issue affects the Nutanix, OVA, QEMU, and raw providers. During the image build process, default credentials are enabled, which can be exploited to gain root access. It's important to note that these credentials are disabled at the conclusion of the image build process. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project, and only if an attacker was able to reach the VM during the image build process and exploit the vulnerability to modify the image at that time.

Impact

The impact of this vulnerability could be severe if exploited successfully. An attacker who gains access during the image build process could potentially: 1. Obtain root access to the system, giving them complete control over the VM image being built. 2. Modify the image to include malicious code or backdoors, which could then be distributed to Kubernetes clusters using these images. 3. Compromise the integrity and security of any Kubernetes cluster that uses the affected images. 4. Potentially gain access to sensitive data or resources within the affected Kubernetes environments. It's crucial to note that the impact is limited to scenarios where an attacker can access the VM during the image build process, which may reduce the likelihood of exploitation in many environments.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available for this vulnerability. The issue has been addressed in versions newer than v0.1.37 of the Kubernetes Image Builder. Security teams should prioritize updating to the latest version of the Kubernetes Image Builder to mitigate this vulnerability.

Mitigation

To mitigate this vulnerability, consider the following recommendations: 1. Update Kubernetes Image Builder: Upgrade to a version newer than v0.1.37 as soon as possible. 2. Audit existing images: Review and potentially rebuild any VM images created with affected versions of the Kubernetes Image Builder, especially if there's any suspicion that they might have been compromised during the build process. 3. Network segmentation: Implement strict network controls to limit access to VMs during the image build process. 4. Monitoring: Enhance monitoring of the image building environment to detect any unauthorized access attempts. 5. Secure build environment: Ensure that the environment where images are built is highly secured and isolated from potential threats. 6. Verify image integrity: Implement and maintain strong integrity checks for all built images before deployment. 7. Least privilege principle: Apply the principle of least privilege to all systems and processes involved in image building and Kubernetes cluster management. 8. Regular security assessments: Conduct regular security audits of your Kubernetes environments, including the image building process and deployed images.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9594. See article

Oct 14, 2024 at 8:15 PM / Seclists.org
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 14, 2024 at 8:21 PM
CVE Assignment

NVD published the first details for CVE-2024-9594

Oct 15, 2024 at 9:15 PM
CVSS

A CVSS base score of 6.3 has been assigned.

Oct 15, 2024 at 9:20 PM / nvd
Vendor Advisory

GitHub Advisories released a security advisory.

Oct 15, 2024 at 9:30 PM
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 15, 2024 at 9:36 PM
Vendor Advisory

RedHat CVE advisory released a security advisory (CVE-2024-9594).

Oct 15, 2024 at 10:00 PM
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.4%)

Oct 16, 2024 at 11:01 AM
Threat Intelligence Report

CVE-2024-9594, with a CVSS score of 6.3, affects images built with Nutanix, OVA, QEMU, and raw providers, and involves default credentials that are disabled after the build process, making it less severe but still exploitable if an attacker gains access during the build. There is no information provided regarding exploitation in the wild, proof-of-concept exploits, mitigations, detections, patches, or downstream impacts on third-party vendors. See article

Oct 16, 2024 at 11:07 AM
Static CVE Timeline Graph

Affected Systems

Kubernetes/image_builder
+null more

Patches

bugzilla.redhat.com
+null more

Links to Mitre Att&cks

T1552.001: Credentials In Files
+null more

Attack Patterns

CAPEC-191: Read Sensitive Constants Within an Executable
+null more

Vendor Advisory

[GHSA-8jpg-62jc-hwhr] VM images built with Image Builder with some providers use default credentials during builds in github.com/kubernetes-sigs/image-builder
A security issue was discovered in the Kubernetes Image Builder versions <=v0.1.37 where default credentials are enabled during the image build process when using the Nutanix, OVA, QEMU or raw providers. The credentials are disabled at the conclusion of the image build process.

References

[Security Advisory] CVE-2024-9486 and CVE-2024-9594: VM images built with Kubernetes Image Builder use default credentials
Clusters using virtual machine images built with Kubernetes Image Builder ( GitHub - kubernetes-sigs/image-builder: Tools for building Kubernetes disk images ) version v0.1.37 or earlier are affected. VMs using images built with all other providers are not affected.
Kubernetes Image Builder Vulnerabilities
Certain image build providers did not disable default administrative credentials after the build process, allowing potential attackers root access to nodes after deployment in some cases. The vulnerabilities impact all versions of Image Builder up to and including Image Builder v0.1.37 when providers Proxmox (most severe), Nutanix, OVA, QEMU, and/or raw are utilized.
Critical Vulnerabilities Affecting GitHub Enterprise Server, Kubernetes Image Builder, and GiveWP Plugin
Recently, several critical vulnerabilities have been disclosed, affecting widely used platforms like GitHub Enterprise Server (GHES), Kubernetes Image Builder, and the GiveWP plugin for WordPress. The latest security update for GitHub Enterprise Server (GHES) addresses three newly discovered vulnerabilities, including a critical issue that could allow unauthorized access to the platform.
See 1 more references

News

SUSE SLES15 / openSUSE 15 Security Update : govulncheck-vulndb (SUSE-SU-2024:3911-1)
The remote SUSE host is missing one or more security updates. The remote SUSE Linux SLES15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:3911-1 advisory.
suse_linux SUSE-SU-2024:3911-1: SUSE SLES15 / openSUSE 15 : Security update for govulncheck-vulndb (Important) (SUSE-SU-2024:3911-1)
Testing Last Updated: 11/6/2024 CVEs: CVE-2024-49757 , CVE-2024-47182 , CVE-2024-8037 , CVE-2024-47827 , CVE-2024-8996 , CVE-2024-9264 , CVE-2024-47003 , CVE-2024-33662 , CVE-2024-47067 , CVE-2024-9180 , CVE-2024-49753 , CVE-2024-8038 , CVE-2024-9407 , CVE-2024-48921 , CVE-2024-47877 , CVE-2024-10214 , CVE-2023-32197 , CVE-2024-47832 , CVE-2024-8901 , CVE-2024-39223 , CVE-2024-9355 , CVE-2024-9313 , CVE-2024-8975 , CVE-2024-9341 , CVE-2024-36814 , CVE-2024-49381 , CVE-2024-22036 , CVE-2024-9486 , CVE-2024-47825 , CVE-2024-7558 , CVE-2023-22644 , CVE-2024-9594 , CVE-2024-47616 , CVE-2024-10241 , CVE-2024-49380 , CVE-2022-45157 , CVE-2024-38365 , CVE-2024-47534 , CVE-2024-48909 , CVE-2024-9312 , CVE-2024-7594 , CVE-2024-22030 , CVE-2024-9675 , CVE-2024-50312
Security: Mehrere Probleme in govulncheck-vulndb (SUSE)
* SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP5
SUSE: 2024:3911-1 important: govulncheck-vulndb Security Advisory Updates
* jsc#PED-11136 Cross-References: * CVE-2022-45157 * CVE-2023-22644
openSUSE: 2024:3911-1: important: govulncheck-vulndb Security Advisory Update
This update for govulncheck-vulndb fixes the following issues: Update to version 0.0.20241030T212825 2024-10-30T21:28:25Z ( jsc#PED-11136 )
See 67 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:High
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI