Over 336,000 Prometheus servers and Exporters were exposed to DoS attacks, allowing attackers to obtain sensitive information such as credentials and API keys.
Prometheus is an open-source monitoring and alerting toolset that has become an essential component of modern monitoring techniques.
Exporters are deployed on multiple systems and serve to collect metrics from monitored endpoints, allowing Prometheus to scrape and store data from systems, applications, or services that do not publish metrics in the Prometheus format.
Researchers found that publicly available Prometheus servers and exporters have been associated with three serious security risks: information exposure, denial-of-service (DoS), and remote code execution.
“We identified an alarming risk of DoS attacks stemming from the exposure of pprof debugging endpoints, which, when exploited, could overwhelm and crash Prometheus servers, Kubernetes pods and other hosts”, Aqua security researchers said in a report shared with Cyber Security News.
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide
Findings showed that 40,000 Prometheus servers and more than 296,000 exporters with internet access were at risk, for a total of about 336,000 servers.
Security Risks Associated With Prometheus Servers And Exporters
Prometheus servers or exporters cause information disclosure when they are linked to the public internet without authentication. Such misconfigurations enable anyone to query the exposed environments for labels or metrics.
Attackers can use this access to obtain what appears to be insignificant data and, with the use of secret-scanning tools, uncover sensitive data, such as API keys, credentials, passwords, and authentication tokens.
“Unauthenticated Prometheus servers enable direct querying of internal data, potentially exposing secrets that attackers can exploit to gain an initial foothold in various organizations”, researchers said.
In certain instances, an exposed /metrics endpoint of Node Exporter may allow disclosure of information.
This kind of exposure may unintentionally provide attackers access to private information, increase their attack surface, and teach them how to use internal backend features that weren’t meant for general public usage.
Additionally, subdomains, Docker registries, images, and other company information may be obtained using the /metrics endpoint and the public Prometheus servers.
The pprof endpoint, which is enabled by default in the majority of Prometheus components, can be accessed over HTTP via misconfigured Prometheus servers and exporters that are open to the internet. The pprof package is widely used for performance profiling.
“The exposed /debug/pprof endpoint poses significant security risks. While it is designed to assist users in profiling remote hosts, attackers can exploit it to execute Denial of Service (DoS) attacks”, researchers said.
Researchers observed that some Prometheus exporters are susceptible to RepoJacking.
GitHub RepoJacking is a form of supply chain attack in which attackers take control of GitHub projects’ dependencies or an entire project to execute malicious code on anyone who utilizes them.
This allows an attacker to build a new exporter with the same name and host a rogue version.
Mitigation
- Prometheus servers and exporters should be protected with proper authentication mechanisms
- Limit External Exposure
- Monitor and Secure Debugging Endpoints
- Limit Resource Exhaustion
- Examine Open-Source Links to avoid RepoJacking.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free