Description
CVSS Rating: CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process when using the Nutanix, OVA, QEMU or raw providers. The credentials can be used to gain root access. The credentials are disabled at the conclusion of the image build process. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project.
Am I vulnerable?
Clusters using virtual machine images built with Kubernetes Image Builder (https://github.com/kubernetes-sigs/image-builder) version v0.1.37 or earlier are affected if built with the Nutanix, OVA, QEMU or raw providers. These images were vulnerable during the image build process and are affected only if an attacker was able to reach the VM where the image build was happening and used the vulnerability to modify the image at the time the image build was occurring.
VMs using images built with the Proxmox provider are affected by a related, but much more serious vulnerability (see #128006).
VMs using images built with all other providers are not affected by this issue.
To determine the version of Image Builder you are using, use one of the following methods:
- For git clones of the image builder repository:
cd <local path to image builder repo>
make version
- For installations using a tarball download:
cd <local path to install location>
grep -o v0\\.[0-9.]* RELEASE.md | head -1
- For a container image release:
docker run --rm <image pull spec> version
or
podman run --rm <image pull spec> version
or look at the image tag specified, in the case of an official image such asregistry.k8s.io/scl-image-builder/cluster-node-image-builder-amd64:v0.1.37
Affected Versions
- Kubernetes Image Builder versions <= v0.1.37
How do I mitigate this vulnerability?
Rebuild any affected images using a fixed version of Image Builder. Re-deploy the fixed images to any affected VMs.
Fixed Versions
- Kubernetes Image Builder master - fixed by Set random ssh password for builder kubernetes-sigs/image-builder#1596
- Fixed in Kubernetes Image Builder release v0.1.38
Detection
The linux command last builder can be used to view logins to the affected builder account.
If you find evidence that this vulnerability has been exploited, please contact [email protected]
Additional Details
The fixed version sets a randomly-generated password for the duration of the image build
Acknowledgements
This vulnerability was reported by Nicolai Rybnikar @rybnico from Rybnikar Enterprises GmbH.
The issue was fixed and coordinated by Marcus Noble of the Image Builder project.
/area security
/kind bug
/committee security-response
/label official-cve-feed
/sig cluster-lifecycle