A critical security flaw has been disclosed in the Kubernetes Image Builder that, if successfully exploited, could be abused to gain root access under certain circumstances. The vulnerability, tracked as CVE-2024-9486 (CVSS score: 9.8), has been addressed in version 0.1.38. The project maintainers acknowledged Nicolai Rybnikar for discovering and reporting the vulnerability. "A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process," Red Hat's Joel Smith said in an alert. "Additionally, virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access." That having said, Kubernetes clusters are only impacted by the flaw if their nodes use virtual machine (VM) images created via the Image Builder project with the Proxmox provider. As temporary mitigations, it has been advised to disable the builder account on affected VMs. Users are also recommended to rebuild affected images using a fixed version of Image Builder and redeploy them on VMs. The fix put in place by the Kubernetes team eschews the default credentials for a randomly-generated password that's set for the duration of the image build. In addition, the builder account is disabled at the end of the image build process. Kubernetes Image Builder version 0.1.38 also addresses a…Read More