The critical bug in Kubernetes Image Builder can lead to unauthorized SSH access to virtual machines due to default credentials being enabled during the image build process.
This vulnerability is tracked as CVE-2024-9486 with a CVSS severity rating of 9.8, greatly affecting VM images created with the Promox provider.
Attacks exploiting the CVE-2024-9594 require an attacker to reach the VM during the image build, thus limiting the opportunity for exploitation to a brief window.
To remediate this issue, users should upgrade to Image Builder v0.1.38 or later, which generates a random password during the image build and disables the builder account afterwards.
Collection
[
|
...
]