CVE-2024-9594

Name of the Vulnerable Software and Affected Versions Kubernetes Image Builder versions <= v0.1.37

Description A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process when using certain providers, such as Nutanix, OVA, QEMU, or raw. This allows an attacker to gain root access to the virtual machine. The credentials are disabled at the conclusion of the image build process. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project and an attacker was able to reach the VM where the image build was happening and used the vulnerability to modify the image at the time the image build was occurring.

Recommendations For Kubernetes Image Builder versions <= v0.1.37, consider disabling the default credentials during the image build process as a temporary workaround until a patch is available. Restrict access to the VM where the image build is happening to minimize the risk of exploitation. Avoid using the vulnerable providers, such as Nutanix, OVA, QEMU, or raw, until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.