Thousands of servers potentially at risk from Prometheus security flaw


  • Security researchers claim Prometheus carries numerous dangerous vulnerabilities
  • Other researchers have been shouting from the rooftops for years now
  • The bugs could be used to steal credentials, run arbitrary code, or mount DoS attacks

Prometheus, an open source monitoring and alerting toolkit, is reportedly flawed in a way that allows cybercriminals to steal sensitive information, run denial-of-service (DoS) attacks, and even execute arbitrary code, remotely.

Designed for recording and querying metrics from systems, containers, and applications in real time, Prometheus features a powerful query language (PromQL), time-series data storage, and integrations with visualization tools like Grafana. Furthermore, it supports flexible alerting through its Alertmanager, enabling notifications based on complex conditions across diverse endpoints.

However, cybersecurity researchers from Aqua noted Prometheus servers or exporters are often lacking proper authentication, which allow threat actors to gather sensitive information “such as credentials and API keys.” Some components, such as the /debug/pprof one, can directly impact the host machine/pod and serve as a vector for DoS attacks.

RepoJacking

“In our view, this vulnerability demands attention and mitigation,” the researchers added.

Finally, hackers could introduce malicious exporters through abandoned or renamed GitHub repositories, a vulnerability called “RepoJacking” which, ultimately, allows them to run arbitrary code, remotely.

Aqua said that a Shodan search query came back with more than 296,000 internet-facing exporters, and 40,000 Prometheus servers, totaling roughly 336,000 vulnerable endpoints.

Unfortunately, this is not the first time Prometheus made headlines for all the wrong reasons. The Hacker News reminds that both JFrog and Sysdig warned about sensitive data leakage through the toolkit, back in 2021 and 2022, respectively.

“Unauthenticated Prometheus servers enable direct querying of internal data, potentially exposing secrets that attackers can exploit to gain an initial foothold in various organizations,” Aqua concluded.

While there don’t seem to be any patches for these flaws, the researchers did suggest a number of mitigations, including adding proper authentication mechanisms, limiting external exposure, and monitoring and securing debugging endpoints. Finally, users should limit resource exhaustion, and inspect open-source links to avoid RepoJacking.

Via The Hacker News

You might also like