Summary
A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default credentials after the build completes. Nodes deployed from affected images remain accessible via the builder account, which can be used to gain root access. Clusters are only affected if their nodes use VM images created via the Image Builder project with its Proxmox provider.
Impact
An unauthenticated remote attacker who can reach a vulnerable node over the network can authenticate as the builder account using the well-known default credentials and escalate to root access. The vulnerability affects confidentiality, integrity, and availability at the highest severity (CVSS 9.8 Critical). Only clusters whose nodes were built with Kubernetes Image Builder version v0.1.37 or earlier using the Proxmox provider are affected; nodes built with other providers are not affected by this specific issue.
Detection
Determine the version of Image Builder used to produce your VM images:
# For git clones of the image builder repository
cd <local path to image builder repo>
make version
# For tarball installations
cd <local path to install location>
grep -o 'v0\.[0-9.]*' RELEASE.md | head -1
# For container image releases
docker run --rm <image pull spec> version
Check for logins to the vulnerable builder account on affected nodes:
last builder
If evidence of exploitation is found, contact security@kubernetes.io.
Mitigation
Rebuild any affected images using Kubernetes Image Builder v0.1.38 or later, which sets a randomly-generated password for the duration of the build and disables the builder account at the conclusion of the build. Redeploy the fixed images to any affected VMs.
As an immediate mitigation prior to rebuilding, disable the builder account on all affected nodes:
usermod -L builder