Hello Kubernetes Community, A security issue was discovered in Kubernetes where an unauthorized user may be able to ssh to a node VM which uses a VM image built with the Kubernetes Image Builder project ( https://github.com/kubernetes-sigs/image-builder). For images built with the Proxmox provider, this issue has been rated Critical ( https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (9.8), and assigned CVE-2024-9486. For images built with the Nutanix, OVA, QEMU or raw providers, this issue has been rated Medium ( https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H) (6.3), and assigned CVE-2024-9594. Am I vulnerable? Clusters using virtual machine images built with Kubernetes Image Builder ( https://github.com/kubernetes-sigs/image-builder) version v0.1.37 or earlier are affected. CVE-2024-9486: VMs using images built with the Proxmox provider are confirmed to be vulnerable. CVE-2024-9594: VMs using images built with the Nutanix, OVA, QEMU or raw providers were vulnerable during the build process and are affected only if an attacker was able to reach the VM where the image build was happening and used the vulnerability to modify the image at the time the image build was occurring. VMs using images built with all other providers are not affected. To determine the version of Image Builder you are using, use one of the following methods: * For git clones of the image builder repository: cd <local path to image builder repo> make version * For installations using a tarball download: cd <local path to install location> grep -o v0\\.[0-9.]* RELEASE.md | head -1 * For a container image release: docker run --rm <image pull spec> version or podman run --rm <image pull spec> version or look at the image tag specified, in the case of an official image such as registry.k8s.io/scl-image-builder/cluster-node-image-builder-amd64:v0.1.37 How do I mitigate this vulnerability? Rebuild any affected images using a fixed version of Image Builder. Re-deploy the fixed images to any affected VMs. Prior to upgrading, this vulnerability can be mitigated by disabling the builder account on affected VMs: usermod -L builder Fixed Versions Kubernetes Image Builder versions >= v0.1.38 Detection The linux command "last builder" can be used to view logins to the affected "builder" account. If you find evidence that this vulnerability has been exploited, please contact security () kubernetes io Additional Details See the GitHub issues for more details: https://github.com/kubernetes/kubernetes/issues/128006 https://github.com/kubernetes/kubernetes/issues/128007 Acknowledgements This vulnerability was reported by Nicolai Rybnikar @rybnico from Rybnikar Enterprises GmbH. The issue was fixed and coordinated by Marcus Noble of the Image Builder project. Thank You, Joel Smith on behalf of the Kubernetes Security Response Committee