Thousands of servers potentially at risk from Prometheus security flaw

1 week ago 4
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
(Image credit: Shutterstock)

  • Security researchers claim Prometheus carries numerous dangerous vulnerabilities
  • Other researchers have been shouting from the rooftops for years now
  • The bugs could be used to steal credentials, run arbitrary code, or mount DoS attacks

Prometheus, an open source monitoring and alerting toolkit, is reportedly flawed in a way that allows cybercriminals to steal sensitive information, run denial-of-service (DoS) attacks, and even execute arbitrary code, remotely.

Designed for recording and querying metrics from systems, containers, and applications in real time, Prometheus features a powerful query language (PromQL), time-series data storage, and integrations with visualization tools like Grafana. Furthermore, it supports flexible alerting through its Alertmanager, enabling notifications based on complex conditions across diverse endpoints.

However, cybersecurity researchers from Aqua noted Prometheus servers or exporters are often lacking proper authentication, which allow threat actors to gather sensitive information “such as credentials and API keys.” Some components, such as the /debug/pprof one, can directly impact the host machine/pod and serve as a vector for DoS attacks.

RepoJacking

“In our view, this vulnerability demands attention and mitigation,” the researchers added.

Finally, hackers could introduce malicious exporters through abandoned or renamed GitHub repositories, a vulnerability called “RepoJacking” which, ultimately, allows them to run arbitrary code, remotely.

Aqua said that a Shodan search query came back with more than 296,000 internet-facing exporters, and 40,000 Prometheus servers, totaling roughly 336,000 vulnerable endpoints.

Unfortunately, this is not the first time Prometheus made headlines for all the wrong reasons. The Hacker News reminds that both JFrog and Sysdig warned about sensitive data leakage through the toolkit, back in 2021 and 2022, respectively.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“Unauthenticated Prometheus servers enable direct querying of internal data, potentially exposing secrets that attackers can exploit to gain an initial foothold in various organizations,” Aqua concluded.

While there don’t seem to be any patches for these flaws, the researchers did suggest a number of mitigations, including adding proper authentication mechanisms, limiting external exposure, and monitoring and securing debugging endpoints. Finally, users should limit resource exhaustion, and inspect open-source links to avoid RepoJacking.

Via The Hacker News

You might also like

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read Entire Article