Cyber security researchers have warned that thousands of servers hosting the Prometheus suite of monitoring and alerting tools are at risk of information leakage and exposure to denial of service (DoS) and remote code execution (RCE) attacks.
“Prometheus servers or exportersoften without proper authentication, allowed attackers to easily collect sensitive information such as credentials and API keys,” Aqua security researchers Yakir Kadkoda and Assaf Morag said in a new report shared with The Hacker News.
The cloud security company also said the disclosure Endpoints “/debug/pprof”. used to determine heap memory usage, CPU usage, and more, can serve as a vector for DoS attacks, rendering servers inoperable.
As much as 296 thousand Prometheus node exporter instances and 40,300 Prometheus servers were estimated to be publicly accessible over the Internet, making them a huge attack surface that could compromise data and services.
The fact that sensitive information such as credentials, passwords, authentication tokens, and API keys can be leaked through Prometheus servers exposed on the Internet has been documented previously Frog in 2021 and Sysdig in 2022.
“Unauthenticated Prometheus servers allow direct querying of internal data, potentially exposing secrets that attackers can use to gain a foothold in various organizations,” the researchers said.
In addition, it was discovered that the “/metrics” endpoint can not only expose internal API endpoints, but also data about subdomains, Docker registries, and images – all valuable information for attackers conducting reconnaissance and looking to extend their reach within networks.
That’s not all. An adversary could send multiple concurrent requests to endpoints such as “/debug/pprof/heap” to run CPU- and memory-intensive heap profiling tasks that could overload servers and cause them to crash.
In addition, Aqua identified a supply chain threat that involves the use of recapture techniques to use a name associated with deleted or renamed GitHub repositories and introduce malicious third-party exporters.
In particular, it was found that eight exporters listed in Prometheus official documentation vulnerable to RepoJackingthereby allowing an attacker to recreate an exporter with the same name and deploy a fake version. These problems have been around since then addressed by the Prometheus security team as of September 2024.
“Unsuspecting users following the documentation could unknowingly clone and deploy this malicious exporter, leading to remote code execution on their systems,” the researchers said.
Organizations are encouraged to secure Prometheus servers and exporters with adequate authentication methods, limit public access, monitor the “/debug/pprof” endpoints for any signs of abnormal activity, and take steps to avoid RepoJacking attacks.
