Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAL7+V1y-7ujPrPMQ+Ed0WQVVdcTb-p+Nv5c4hrGYF0W=Y-f4zQ@mail.gmail.com>
Date: Mon, 21 Jul 2025 16:32:12 -0700
From: Rita Zhang <rita.z.zhang@...il.com>
To: oss-security@...ts.openwall.com
Subject: [kubernetes] CVE-2025-7342: VM images built with Kubernetes Image
 Builder Nutanix or OVA providers use default credentials for Windows images
 if user did not override

Hello Kubernetes Community,

A security issue was discovered in Kubernetes where an unauthorized user
may be able to ssh/RDP/WINRM to a Windows node VM which uses a VM image
built with the Kubernetes Image Builder project (
https://github.com/kubernetes-sigs/image-builder).

For Windows images built with Nutanix, OVA, this issue has been rated High

(
https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
)(8.1)

Am I vulnerable?

Clusters using virtual machine images built with Kubernetes Image Builder (
https://github.com/kubernetes-sigs/image-builder) version v0.1.44 or
earlier are affected.

CVE-2025-7342: VMs using Windows images built with Nutanix, OVA were
confirmed vulnerable.

VMs using images built with all other providers are not affected.

Affected Versions

Kubernetes Image Builder versions <= v0.1.44

To determine the version of Image Builder you are using, use one of the
following methods:

* For git clones of the image builder repository:
    cd <local path to image builder repo>

    make version

* For installations using a tarball download:
    cd <local path to install location>

    grep -o v0\\.[0-9.]* RELEASE.md | head -1

* For a container image release:

    docker run --rm <image pull spec> version
  or
    podman run --rm <image pull spec> version

  or look at the image tag specified, in the case of an official image such
as
registry.k8s.io/scl-image-builder/cluster-node-image-builder-amd64:v0.1.44

How do I mitigate this vulnerability?

Rebuild any affected images using a fixed version of Image Builder.
Re-deploy the fixed images to any affected VMs or use image-builder v0.1.41
(February 2025) or later, and set the `admin_password` JSON variable.

Prior to upgrading, this vulnerability can be mitigated by changing the
password of the Administrator account on affected VMs:

`net user Administrator <new-password>`



Fixed Versions

Kubernetes Image Builder versions >= v0.1.45

Detection

`Get-LocalUser -Name Administrator | Select-Object
Name,Enabled,SID,Lastlogon | Format-List`

If you find evidence that this vulnerability has been exploited, please
contact security@...ernetes.io

Additional Details

See the GitHub issues for more details:

https://github.com/kubernetes/kubernetes/issues/133115

Acknowledgements

This vulnerability was reported by Abdel Adim Oisfi, Davide Silvetti,
Nicolò Daprelà, Paolo Cavaglià, Pietro Tirenna from Shielder.

The issue was fixed and coordinated by Matt Boersma of the Image Builder
project.

Thank You,

Rita Zhang on behalf of the Kubernetes Security Response Committee

Content of type "text/html" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.