Recent cybersecurity reports indicate a significant vulnerability affecting numerous servers running the Prometheus monitoring and alerting toolkit. Security researchers have identified that thousands of these servers are susceptible to data leakage, denial-of-service (DoS), and remote code execution (RCE) attacks.
Experts from Aqua Security, Yakir Kadkoda and Assaf Morag, disclosed that Prometheus servers and its exporters often lack robust authentication mechanisms. This deficiency allows attackers to exploit the systems easily, gaining access to sensitive data including credentials and API keys, cautioned the researchers in a report provided to The Hacker News.
The researchers also emphasized that the exposure of the “/debug/pprof” endpoints, which track heap memory and CPU usage, can be exploited to facilitate DoS attacks, potentially incapacitating the servers.
Estimates suggest that approximately 296,000 instances of Prometheus Node Exporter and over 40,300 Prometheus servers are publicly accessible over the internet. This exposure represents a considerable attack surface, endangering organizations’ data and services.
Concerns regarding the leakage of sensitive information, such as authentication tokens and API keys, have been previously highlighted in research by JFrog in 2021 and Sysdig in 2022. According to researchers, the lack of authentication on Prometheus servers facilitates direct queries of internal data, potentially leaking secrets that attackers may leverage for initial access to various organizations.
Furthermore, the “/metrics” endpoint has been found to expose details about internal API endpoints, subdomains, Docker registries, and images—information that can assist attackers during their reconnaissance efforts, allowing them to broaden their access within a network. Attackers could also execute multiple simultaneous requests to endpoints like “/debug/pprof/heap,” instigating resource-heavy profiling tasks that may cause the servers to become unresponsive.
Aqua Security also identified a potential supply chain threat related to repojacking techniques that exploit the names of deleted or renamed GitHub repositories to deploy malicious third-party exporters.
Specifically, Aqua highlighted that eight exporters mentioned in Prometheus’ official documentation are vulnerable to repojacking. This exploitation could allow adversaries to recreate an exporter with the same name and host a malicious version. The Prometheus security team addressed these vulnerabilities as of September 2024.
According to the researchers, unsuspecting users might unintentionally clone and implement a harmful exporter, leading to remote code execution on their systems. It is crucial for organizations to enhance the security of their Prometheus servers and exporters by implementing appropriate authentication measures, reducing public exposure, and actively monitoring “/debug/pprof” endpoints for anomalous activity. Moreover, organizations should take proactive steps to defend against repojacking attacks.
