Dec 12, 2024Ravie LakshmananVulnerability / Cloud Security

Cybersecurity researchers are warning that thousands of servers hosting the Prometheus monitoring and alerting toolkit are at risk of information leakage and exposure to denial-of-service (DoS) as well as remote code execution (RCE) attacks.

“Prometheus servers or exporters, often lacking proper authentication, allowed attackers to easily gather sensitive information, such as credentials and API keys,” Aqua security researchers Yakir Kadkoda and Assaf Morag said in a new report shared with The Hacker News.

The cloud security firm also said that the exposure of the “/debug/pprof” endpoints used for determining heap memory usage, CPU usage, and others, could serve as a vector for DoS attacks, rendering the servers inoperable.

As many as 296,000 Prometheus Node Exporter instances and 40,300 Prometheus servers have been estimated to be publicly accessible over the internet, making them a huge attack surface that could put data and services at risk.

The fact that sensitive information, such as credentials, passwords, authentication tokens, and API keys, could be leaked through internet-exposed Prometheus servers has been documented previously by JFrog in 2021 and Sysdig in 2022.

“Unauthenticated Prometheus servers enable direct querying of internal data, potentially exposing secrets that attackers can exploit to gain an initial foothold in various organizations,” the researchers said.

In addition, it has been found that the “/metrics” endpoint can not only reveal internal API endpoints, but also data about subdomains, Docker registries, and images — all valuable information for an attacker conducting reconnaissance and looking to expand their reach within the network.

That’s not all. An adversary could send multiple simultaneous requests to endpoints like “/debug/pprof/heap” to trigger CPU and memory-intensive heap profiling tasks that can overwhelm the servers and cause them to crash.

Aqua further called out a supply chain threat that involves using repojacking techniques to leverage the name associated with deleted or renamed GitHub repositories and introduce malicious third-party exporters.

Specifically, it discovered that eight exporters listed in Prometheus’ official documentation are vulnerable to RepoJacking, thereby allowing an attacker to recreate an exporter with the same name and host a rogue version. These issues have since been addressed by the Prometheus security team as of September 2024.

“Unsuspecting users following the documentation could unknowingly clone and deploy this malicious exporter, leading to remote code execution on their systems,” the researchers said.

Organizations are recommended to secure Prometheus servers and exporters with adequate authentication methods, limit public exposure, monitor “/debug/pprof” endpoints for any signs of anomalous activity, and take steps to avoid RepoJacking attacks.