Cybersecurity researchers are warning that 1000’s of servers internet hosting the Prometheus monitoring and alerting toolkit are liable to info leakage and publicity to denial-of-service (DoS) in addition to distant code execution (RCE) assaults.
“Prometheus servers or exporters, usually missing correct authentication, allowed attackers to simply collect delicate info, reminiscent of credentials and API keys,” Aqua safety researchers Yakir Kadkoda and Assaf Morag stated in a brand new report shared with The Hacker Information.
The cloud safety agency additionally stated that the publicity of the “/debug/pprof” endpoints used for figuring out heap reminiscence utilization, CPU utilization, and others, may function a vector for DoS assaults, rendering the servers inoperable.
As many as 296,000 Prometheus Node Exporter situations and 40,300 Prometheus servers have been estimated to be publicly accessible over the web, making them an enormous assault floor that would put information and companies in danger.
The truth that delicate info, reminiscent of credentials, passwords, authentication tokens, and API keys, could possibly be leaked by means of internet-exposed Prometheus servers has been documented beforehand by JFrog in 2021 and Sysdig in 2022.
“Unauthenticated Prometheus servers allow direct querying of inside information, probably exposing secrets and techniques that attackers can exploit to achieve an preliminary foothold in varied organizations,” the researchers stated.
As well as, it has been discovered that the “/metrics” endpoint can’t solely reveal inside API endpoints, but additionally information about subdomains, Docker registries, and pictures — all invaluable info for an attacker conducting reconnaissance and seeking to broaden their attain throughout the community.
That is not all. An adversary may ship a number of simultaneous requests to endpoints like “/debug/pprof/heap” to set off CPU and memory-intensive heap profiling duties that may overwhelm the servers and trigger them to crash.
Aqua additional referred to as out a provide chain risk that includes utilizing repojacking methods to leverage the title related to deleted or renamed GitHub repositories and introduce malicious third-party exporters.
Particularly, it found that eight exporters listed in Prometheus’ official documentation are weak to RepoJacking, thereby permitting an attacker to recreate an exporter with the identical title and host a rogue model. These points have since been addressed by the Prometheus safety workforce as of September 2024.
“Unsuspecting customers following the documentation may unknowingly clone and deploy this malicious exporter, resulting in distant code execution on their programs,” the researchers stated.
Organizations are really useful to safe Prometheus servers and exporters with enough authentication strategies, restrict public publicity, monitor “/debug/pprof” endpoints for any indicators of anomalous exercise, and take steps to keep away from RepoJacking assaults.
