Critical Kubernetes Image Builder Vulnerability Exposes Nodes to Root Access Risk

Critical Kubernetes Image Builder Vulnerability Exposes Nodes to Root Access Risk

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

Critical Kubernetes Image Builder Vulnerability Exposes Nodes to Root Access Risk

Information:

  Kubernetes is an open-source platform used to automate the deployment, scaling, and management of containerized applications. Originally developed by Google and now maintained by the Cloud Native Computing Foundation (CNCF), Kubernetes is designed to help developers build, manage, and scale applications across clusters of machines, making it easier to manage complex systems.

Incident:

  A critical bug in Kubernetes Image Builder could allow unauthorized SSH access to virtual machines (VMs) thanks to default credentials being enabled during the image build process.  A security issue was discovered in Kubernetes Image Builder versions <= v0.1.37, where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default credentials, making nodes using the resulting images accessible via the default credentials. These credentials could be used to gain root access.

  The vulnerability means VM images built with the Proxmox provider are most at risk. This flaw is tracked as CVE-2024-9486, it earned a 9.8 out of 10 CVSS severity rating, and it affects VM images built with the Proxmox provider on Image Builder version 0.1.37 or earlier.

The issue also affects images built with Nutanix, OVA, QEMU or raw providers, but in these instances is rated 6.3 on the ten-point CVSS rating scale under a separate CVE tracker: CVE-2024-9594.

  This bug can still be abused to gain root access. However, Nutanix, OVA, and QEMU disable the default credentials at the end of the image build process. This gives an attacker a much smaller window during which to exploit CVE-2024-9594 – it can only happen during the build process.

Recommendation:

  To fix the flaw, upgrade to Image Builder v0.1.38 or later. This version sets a randomly generated password for the duration of the image build, and then disables the builder account at the end of the build process.

 

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
0613879439 (Ms.Sirilak)
0922576902 (Ms.Narusorn)

 

References :

Weekly Interesting CVE

NO.

CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

CVSS
Severity Rating

Detail

Solution

Reference
1

CVE-2024-45148

10/10/2024

10/10/2024

 Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier

Improper Authentication

8.8

Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authentication vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to gain unauthorized access without proper credentials. Exploitation of this issue does not require user interaction.

recommends users update their installation to the newest version.

https://app.opencve.io/cve/CVE-2024-45148
https://helpx.adobe.com/security/products/magento/apsb24-73.html
2

CVE-2024-9201

10/10/2024

10/10/2024

SEUR plugin,versions 2.5.11 and earlier

SQL injection

9.4

The SEUR plugin, in its versions 2.5.11 and earlier, is vulnerable to time-based SQL injection through the use of the ‘id_order’ parameter of the ‘/modules/seur/ajax/saveCodFee.php’ endpoint

recommends to update to the version 2.5.14

https://app.opencve.io/cve/CVE-2024-9201
3

CVE-2024-8977

10/10/2024

10/10/2024

GitLab EE all versions starting from 15.10 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2

Server-Side Request Forgery (SSRF)

8.2

An issue has been discovered in GitLab EE affecting all versions starting from 15.10 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. Instances with Product Analytics Dashboard configured and enabled could be vulnerable to SSRF attacks.

recommends to update to the lastest version

https://app.opencve.io/cve/CVE-2024-8977
4

CVE-2024-29176

26/6/2024

10/10/2024

Dell PowerProtect DD, versions prior to 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40

Improper Authentication, code execution

8.8

Contain a buffer overflow vulnerability. A remote low privileged attacker could potentially exploit this vulnerability, leading to an application crash or execution of arbitrary code on the vulnerable application's underlying operating system with privileges of the vulnerable application.

recommends to update to version 8.0

https://app.opencve.io/cve/CVE-2024-29176
5

CVE-2024-45409

10/9/2024

10/10/2024

Ruby-SAML in version prior to 12.2 and 1.13.0 to 1.16.0

Improper Authentication

10.0

The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in version prior to 12.2 and 1.13.0 to1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system.

recommends to update to version 1.17.0 or 1.12.3

https://app.opencve.io/cve/CVE-2024-45409
https://nvd.nist.gov/vuln/detail/CVE-2024-45409

Malware News or Campaign IOC/IOA | EN

No

Campaign Name

Detection Date

Attack

Type

  

Description

  

Mitigation/Remediation
1

Kansas’ City of Arkansas Water Treatment Facility Hit by a Suspected Ransomware Cyber Attack​

3/10/2024

ransomware

On September 22, 2024, a cyberattack targeted the water treatment system of Arkansas City in Kansas, and it is suspected to be a ransomware attack. This incident led to disruptions in the city’s water system, which significantly affected its ability to deliver essential services and manage the security of the water supply provided to its residents. City authorities are collaborating with law enforcement agencies and cybersecurity organizations to thoroughly investigate the incident and assess the extent of the damage caused. At present, no clear information has been made available regarding the attackers or the motivation behind this cyberattack.
  • Implement Multi-Factor Authentication (MFA) to strengthen security measures when accessing critical systems
  • Regularly perform data backups for essential information and conduct routine tests of recovery processes to ensure that data can be restored in the event of a cyberattack.
  • Conduct cybersecurity training for employees to ensure they are equipped with the knowledge to identify and respond to threats, such as phishing emails, effectively.

Ref: https://www.cpomagazine.com/cyber-security/kansas-city-of-arkansas-water-treatment-facility-hit-by-a-suspected-ransomware-cyber-attack/

28 October 2024

Viewed 96 time

Engine by shopup.com