CVE-2024-9486 – This vulnerability allows attackers to gain roo... (How to Fix)

Q: How do I fix CVE-2024-9486?

1. Update Kubernetes Image Builder to v0.1.38 or later. 2. Rebuild all VM images using the updated Image Builder. 3. Replace existing nodes with newly built images. 4. Ensure old images are removed from Proxmox templates.

Q: What is the severity of CVE-2024-9486?

CVE-2024-9486 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to gain root access to Kubernetes nodes using default credentials that remain enabled in VM images built with Kubernetes Image Builder's Proxmox provider. Only Kubernetes clusters are affected if their nodes use VM images created via the Image Builder project with its Proxmox provider. The default credentials are enabled during the image build process and not disabled in the resulting images.

📋 TL;DR

This vulnerability allows attackers to gain root access to Kubernetes nodes using default credentials that remain enabled in VM images built with Kubernetes Image Builder's Proxmox provider. Only Kubernetes clusters are affected if their nodes use VM images created via the Image Builder project with its Proxmox provider. The default credentials are enabled during the image build process and not disabled in the resulting images.

💻 Affected Systems

Products:

Kubernetes Image Builder

Versions: <= v0.1.37

Operating Systems: Any OS running on VM images built with affected Image Builder

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Kubernetes clusters using VM images created via Image Builder's Proxmox provider. Other providers or manually built images are not affected.

📦 What is this software?

Image Builder by Kubernetes Sigs

View all CVEs affecting Image Builder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of Kubernetes cluster with root access to all nodes, enabling data theft, service disruption, and lateral movement across the entire infrastructure.

🟠

Likely Case

Unauthorized root access to individual nodes, allowing attackers to install malware, exfiltrate sensitive data, or disrupt container workloads.

🟢

If Mitigated

Limited impact if nodes are behind strict network controls, but credential exposure still presents significant risk.

🌐 Internet-Facing: HIGH - If nodes are internet-accessible, attackers can directly exploit default credentials without any authentication.

🏢 Internal Only: HIGH - Even internally, any compromised system or malicious insider could exploit these credentials to gain root access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires knowledge of default credentials and network access to affected nodes. No special tools or advanced techniques needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.1.38 and later

Vendor Advisory: https://groups.google.com/g/kubernetes-security-announce/c/UKJG-oZogfA/m/Lu1hcnHmAQAJ

Restart Required: Yes

Instructions:

1. Update Kubernetes Image Builder to v0.1.38 or later. 2. Rebuild all VM images using the updated Image Builder. 3. Replace existing nodes with newly built images. 4. Ensure old images are removed from Proxmox templates.

🔧 Temporary Workarounds

Change default credentials manually

linux

Manually change or disable default credentials on all affected nodes

# Change root password
passwd root
# Disable password authentication in SSH
sed -i 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl restart sshd

Network isolation

linux

Restrict network access to affected nodes using firewall rules

# Example iptables rule to restrict SSH access
iptables -A INPUT -p tcp --dport 22 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected nodes from untrusted networks
Deploy host-based intrusion detection systems to monitor for credential usage and unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check if nodes were deployed using VM images built with Kubernetes Image Builder v0.1.37 or earlier with Proxmox provider. Review image build logs or metadata for Image Builder version.

Check Version:

Check image-builder version in build configuration or deployment manifests

Verify Fix Applied:

Verify Image Builder version is v0.1.38+. Test SSH access with default credentials should fail. Check that new images have credential hardening applied.

📡 Detection & Monitoring

Log Indicators:

Failed SSH authentication attempts with default usernames
Successful SSH logins from unexpected sources
Root login events from non-standard locations

Network Indicators:

SSH connections to nodes from unauthorized IP addresses
Unusual outbound connections from nodes after SSH access

SIEM Query:

source="auth.log" AND ("Failed password for root" OR "Accepted password for root") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2024-9486

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: October 15, 2024

Last Updated: December 8, 2025

🔗 References

https://github.com/kubernetes-sigs/image-builder/pull/1595 Patch
https://github.com/kubernetes/kubernetes/issues/128006 Issue Tracking
https://groups.google.com/g/kubernetes-security-announce/c/UKJG-oZogfA/m/Lu1hcnHmAQAJ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9486, you might also want to check these: