Severe Kubernetes Picture Creator Weakness Discloses Nodes to Root Entry Risk
A critical security loophole has been unveiled in the Kubernetes Picture Creator that, if exploited effectively, might be misused to acquire root access under specific scenarios.
The weakness, known as CVE-2024-9486 (CVSS score: 9.8), has been resolved in version 0.1.38. The project maintainers acknowledged Nicolai Rybnikar for discovering and reporting the weakness.
“During the image build process, a security problem was detected in the Kubernetes Picture Creator where default credentials are enabled,” Joel Smith from Red Hat mentioned in an alert.
“Additionally, virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessed through these default credentials. The credentials can be utilized to obtain root access.”
Considering that, Kubernetes clusters are solely affected by the flaw if their nodes utilize virtual machine (VM) images formed via the Picture Creator project with the Proxmox provider.
As short-term mitigations, it has been suggested to deactivate the creator account on afflicted VMs. It is also recommended for users to reconstruct affected images using an amended version of Picture Creator and redeploy them on VMs.
The solution implemented by the Kubernetes team replaces the default credentials with a randomly-generated password that is set for the duration of the image build. Additionally, the creator account is deactivated at the conclusion of the image build process.
Kubernetes Picture Creator version 0.1.38 also deals with a associated problem (CVE-2024-9594, CVSS score: 6.3) concerning default credentials when image builds are established using the Nutanix, OVA, QEMU, or raw providers.
The reduced significance for CVE-2024-9594 arises from the fact that the VMs utilizing the images constructed with these providers are only impacted “if an intruder could access the VM where the image build was happening and employed the vulnerability to modify the image during the image build.”
The advancement comes as Microsoft unveiled server-side patches for three Critical-rated weaknesses: Dataverse, Imagine Cup, and Power Platform that could result in privilege escalation and information disclosure –
- CVE-2024-38139 (CVSS score: 8.7) – Inadequate authentication in Microsoft Dataverse allows an authorized attacker to enhance privileges over a network
- CVE-2024-38204 (CVSS score: 7.5) – Improper Access Control in Imagine Cup enables an authorized attacker to boost privileges over a network
- CVE-2024-38190 (CVSS score: 8.6) – Insufficient authorization in Power Platform allows an unauthenticated attacker to view sensitive information through a network attack vector
It also follows the disclosure of a crucial weakness in the Apache Solr open-source enterprise search engine (CVE-2024-45216, CVSS score: 9.8) that could create an opportunity for an authentication bypass on vulnerable instances.
“An artificial termination at the end of any Solr API URL path will authorize requests to bypass Authentication while preserving the API deal with the original URL Path,” a GitHub advisory for the flaw points out. “This fake ending imitates an unprotected API path, but it is removed internally after authentication but before API routing.”
The problem, affecting Solr versions from 5.3.0 before 8.11.4, and from 9.0.0 before 9.7.0, has been rectified in versions 8.11.4 and 9.7.0, respectively.
About Author
