Around 336,000 Prometheus servers and Exporters were vulnerable to Denial of Service (DoS) assaults, enabling malevolent actors to acquire sensitive details including credentials and API keys.
Prometheus is a freely available toolset for monitoring and alerting that has become a crucial element of contemporary monitoring methods.
Exporters are deployed on numerous systems and are utilized to compile metrics from monitored endpoints, allowing Prometheus to capture and retain data from systems, applications, or services that do not broadcast metrics in the Prometheus layout.
An analysis revealed that publicly accessible Prometheus servers and exporters are linked to three severe security perils: disclosure of information, DoS, and remote code execution.
According to a report shared with Cyber Security News by Aqua security researchers, “We have identified a worrying risk of DoS attacks originating from the exposure of pprof debugging endpoints, which, if exploited, could inundate and crash Prometheus servers, Kubernetes pods, and other hosts.”
The research revealed that roughly 40,000 Prometheus servers and over 296,000 exporters with internet connectivity were at stake, totaling around 336,000 servers.
Security Perils Linked To Prometheus Servers And Exporters
When Prometheus servers or exporters are connected to the public internet without authentication, they lead to information exposure. Such misconfigurations permit anyone to inquire about the revealed environments for labels or metrics.
Illicit parties can exploit this access to acquire ostensibly trivial data and, leveraging secret-scanning tools, unveil sensitive information such as API keys, credentials, passwords, and authentication tokens.
Researchers mentioned, “Unauthenticated Prometheus servers offer direct access to internal data, potentially revealing secrets that malicious actors can leverage to initiate an initial infiltration in various organizations.”
In specific situations, the exposed /metrics endpoint of Node Exporter may expose information.
This form of revelation may inadvertently bestow malevolent entities with access to confidential details, enlarge their attack perimeter, and provide insights into the utilization of internal backend functions not intended for general public use.
Moreover, utilizing the /metrics endpoint and public Prometheus servers, malevolent actors may obtain subdomains, Docker registries, images, and other corporate information.
The pprof endpoint, predominantly activated in most Prometheus components, can be reached over HTTP via misconfigured Prometheus servers and exporters accessible on the web. The pprof package is commonly employed for performance profiling.
“The exposed /debug/pprof endpoint poses notable security twinges. While it is fashioned to support users in profiling remote hosts, malevolent entities can exploit it to carry out Denial of Service (DoS) attacks”, as described by researchers.
Researchers noticed that certain Prometheus exporters are prone to RepoJacking.
GitHub RepoJacking embodies a form of supply chain assault where malevolent actors seize control of GitHub projects’ dependencies or an entire project to carry out malicious coding on any user who employs them.
This furnishes an opportunity for an attacker to craft a new exporter with the same name and host a deceitful version.
Countermeasures
- Ensure that Prometheus servers and exporters are fortified with appropriate authentication mechanisms
- Restrict External Exposure
- Supervise and Safeguard Debugging Endpoints
- Constrain Resource Depletion
- Examine Open-Source Links to evade RepoJacking.
The article “300,000+ Prometheus Monitoring Servers Exposed To DoS Attacks” was originally published on Cyber Security News.