The Kubernetes Image Builder includes a serious security weakness that, if properly exploited, might be leveraged in some situations to obtain root access.
Version 0.1.38 fixes the issue, which is known as CVE-2024-9486 (CVSS score: 9.8). Nicolai Rybnikar was credited by the project maintainers for identifying and disclosing the issue.
“A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process,” Red Hat’s Joel Smith said in an alert.
“Additionally, virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access.”
However, the vulnerability primarily affects Kubernetes clusters whose nodes use virtual machine (VM) images generated by the Proxmox provider’s Image Builder project.
Disabling the builder account on impacted virtual machines has been suggested as a short-term fix. It is also advised that users reload the impacted images on virtual machines (VMs) after rebuilding them with a corrected version of Image Builder.
The Kubernetes team’s solution replaces the default credentials with a password that is created at random and is set for the length of the image build. Additionally, when the image build process is finished, the builder account is disabled.
A related problem (CVE-2024-9594, CVSS score: 6.3) with default credentials when image builds are made using the Nutanix, OVA, QEMU, or raw providers is also fixed in Kubernetes Image Builder version 0.1.38.
CVE-2024-9594 has a lower severity because it only affects virtual machines (VMs) that use images created by these providers. “if an attacker was able to reach the VM where the image build was happening and used the vulnerability to modify the image at the time the image build was occurring.”
This development coincides with Microsoft’s server-side updates for three critical vulnerabilities—Dataverse, Imagine Cup, and Power Platform—that might result in information exposure and privilege escalation.
- CVE-2024-38139 (CVSS score: 8.7) Improper authentication in Microsoft Dataverse allows an authorised attacker to elevate privileges over a network.
- CVE-2024-38204 (CVSS score: 7.5): Improper Access Control in Imagine Cup allows an authorised attacker to elevate privileges over a network.
- CVE-2024-38190 (CVSS score: 8.6) Missing authorisation in Power Platform allows an unauthenticated attacker to view sensitive information through a network attack vector.
Additionally, it comes after the Apache Solr open-source enterprise search engine was found to have a significant vulnerability (CVE-2024-45216, CVSS score: 9.8) that might allow an authentication bypass on vulnerable systems.
“A fake ending at the end of any Solr API URL path will allow requests to skip authentication while maintaining the API contract with the original URL path,” a GitHub advisory for the flaw states. “This fake ending looks like an unprotected API path; however, it is stripped off internally after authentication but before API routing.”
Versions 8.11.4 and 9.7.0, respectively, have fixed the problem that was present in Solr versions 5.3.0 prior to 8.11.4 and 9.0.0 prior to 9.7.0.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.