A high-severity vulnerability has been identified in the Kubernetes Image Builder, which could expose default credentials during the image creation process. An attacker could potentially leverage these credentials to gain unauthorized access, tamper with container images, and introduce malicious code into the software supply chain, leading to broader system compromise.

The vulnerability exists within the Kubernetes Image Builder components. During the image build process, default credentials are temporarily enabled and exposed. An attacker with network access to the build environment could potentially connect during this window, authenticate using these known default credentials, and gain access to the build system. This access could be used to inject malicious code, steal secrets, or otherwise compromise the integrity of the resulting container image.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation could have a significant business impact by enabling a supply chain attack. If a malicious actor successfully compromises an image, it could lead to the deployment of trojanized containers across the organization's production environment, resulting in data breaches, unauthorized access to sensitive systems, service disruption, and significant reputational damage. The risk is elevated in automated CI/CD pipelines where compromised images could be propagated widely without immediate detection.

Immediate Action: Organizations should apply the security updates provided by the vendor across all affected image-building infrastructure immediately. After patching, it is critical to review access logs for the build systems for any unusual or unauthorized authentication attempts that may have occurred prior to the update.

Proactive Monitoring: Implement enhanced monitoring on build environments. Security teams should look for anomalous network connections to and from build servers, unexpected processes or commands executed during the build lifecycle, and any deviations in the final image layers or checksums compared to a known-good baseline.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:

• Strictly enforce network segmentation to isolate the build environment from untrusted networks.
• Implement firewall rules to restrict access to the build systems to only authorized personnel and services.
• Enforce container image scanning and signing policies to verify the integrity of all images before they are pushed to a registry or deployed.

Public Exploit Available: false

Given the high-severity rating (CVSS 7.5) and the potential for a software supply chain compromise, this vulnerability should be prioritized for immediate remediation. Although this CVE is not currently listed on the CISA KEV (Known Exploited Vulnerabilities) catalog, its impact warrants urgent attention. We strongly recommend that organizations apply the vendor-supplied patches without delay and implement the suggested compensating controls and monitoring to reduce the risk of exploitation.