{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2024-112.pdf"
    },
    "title": "Critical Vulnerability in Kubernetes",
    "serial_number": "2024-112",
    "publish_date": "17-10-2024 14:37:11",
    "description": "On October 14, 2024, Kubernetes released a security advisory addressing a critical vulnerability affecting the Kubernetes Image Builder project. <br>\nIt is recommended updating the Kubernetes Image Builder, and redeploying or mitigating Virtual Machines (VMs) created by the vulnerable Kubernetes Image Builder.<br>\n",
    "url_title": "2024-112",
    "content_markdown": "---    \ntitle: 'Critical Vulnerability in\u00a0Kubernetes'\nnumber: '2024-112'\nversion: '1.0'\noriginal_date: '2024-10-14'\ndate: '2024-10-17'\n---\n\n_History:_\n\n* _17/10/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn October 14, 2024, Kubernetes released a security advisory addressing a critical vulnerability affecting the Kubernetes Image Builder project [1,2]. \n\nIt is recommended updating the Kubernetes Image Builder, and redeploying or mitigating Virtual Machines (VMs) created by the vulnerable Kubernetes Image Builder.\n\n# Technical Details\n\nThe flaw affects Kubernetes Image Builder version 0.1.37 and earlier. It enables root access via SSH using default credentials on VMs built with the vulnerable version of Kubernetes Image Builder [2].\n\nFor images built with the Proxmox provider, the vulnerability has been assigned `CVE-2024-9486`, with a CVSS score of 9.8.\n\nFor images built with the Nutanix, OVA, QEMU or raw providers, the vulnerability has been assigned `CVE-2024-9594`, with a CVSS of 6.3.\n\n# Affected Products\n\nThis flaw affects:\n\n- Kubernetes Image Builder v0.1.37 and earlier;\n- VM images built the vulnerable version of Kubernetes Image Builder.\n\n# Recommendations\n\nIt is strongly recommended updating the Kubernetes Image Builder and redeploying VMs created by the vulnerable Kubernetes Image Builder.\n\n## Mitigations\n\nIt is possible to mitigate the vulnerability in affected VMs by disabling the `builder` account: `usermod -L builder`\n\n##  Detection\n\nThe Linux command `last builder` can be used to view logins to the affected `builder` account.\n\n# References\n\n[1] <https://www.bleepingcomputer.com/news/security/critical-kubernetes-image-builder-flaw-gives-ssh-root-access-to-vms/>\n\n[2] <https://discuss.kubernetes.io/t/security-advisory-cve-2024-9486-and-cve-2024-9594-vm-images-built-with-kubernetes-image-builder-use-default-credentials/30119>",
    "content_html": "<p><em>History:</em></p><ul><li><em>17/10/2024 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On October 14, 2024, Kubernetes released a security advisory addressing a critical vulnerability affecting the Kubernetes Image Builder project [1,2]. </p><p>It is recommended updating the Kubernetes Image Builder, and redeploying or mitigating Virtual Machines (VMs) created by the vulnerable Kubernetes Image Builder.</p><h2 id=\"technical-details\">Technical Details</h2><p>The flaw affects Kubernetes Image Builder version 0.1.37 and earlier. It enables root access via SSH using default credentials on VMs built with the vulnerable version of Kubernetes Image Builder [2].</p><p>For images built with the Proxmox provider, the vulnerability has been assigned <code>CVE-2024-9486</code>, with a CVSS score of 9.8.</p><p>For images built with the Nutanix, OVA, QEMU or raw providers, the vulnerability has been assigned <code>CVE-2024-9594</code>, with a CVSS of 6.3.</p><h2 id=\"affected-products\">Affected Products</h2><p>This flaw affects:</p><ul><li>Kubernetes Image Builder v0.1.37 and earlier;</li><li>VM images built the vulnerable version of Kubernetes Image Builder.</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>It is strongly recommended updating the Kubernetes Image Builder and redeploying VMs created by the vulnerable Kubernetes Image Builder.</p><h3 id=\"mitigations\">Mitigations</h3><p>It is possible to mitigate the vulnerability in affected VMs by disabling the <code>builder</code> account: <code>usermod -L builder</code></p><h3 id=\"detection\">Detection</h3><p>The Linux command <code>last builder</code> can be used to view logins to the affected <code>builder</code> account.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/critical-kubernetes-image-builder-flaw-gives-ssh-root-access-to-vms/\">https://www.bleepingcomputer.com/news/security/critical-kubernetes-image-builder-flaw-gives-ssh-root-access-to-vms/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://discuss.kubernetes.io/t/security-advisory-cve-2024-9486-and-cve-2024-9594-vm-images-built-with-kubernetes-image-builder-use-default-credentials/30119\">https://discuss.kubernetes.io/t/security-advisory-cve-2024-9486-and-cve-2024-9594-vm-images-built-with-kubernetes-image-builder-use-default-credentials/30119</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}