Thousands of servers potentially at risk from Prometheus security flaw

News
By published

The Prometheus toolkit has flaws that can be abused for data leaks

Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
(Image credit: Shutterstock)
  • Security researchers claim Prometheus carries numerous dangerous vulnerabilities
  • Other researchers have been shouting from the rooftops for years now
  • The bugs could be used to steal credentials, run arbitrary code, or mount DoS attacks

Prometheus, an open source monitoring and alerting toolkit, is reportedly flawed in a way that allows cybercriminals to steal sensitive information, run denial-of-service (DoS) attacks, and even execute arbitrary code, remotely.

Designed for recording and querying metrics from systems, containers, and applications in real time, Prometheus features a powerful query language (PromQL), time-series data storage, and integrations with visualization tools like Grafana. Furthermore, it supports flexible alerting through its Alertmanager, enabling notifications based on complex conditions across diverse endpoints.

However, cybersecurity researchers from Aqua noted Prometheus servers or exporters are often lacking proper authentication, which allow threat actors to gather sensitive information “such as credentials and API keys.” Some components, such as the /debug/pprof one, can directly impact the host machine/pod and serve as a vector for DoS attacks.

RepoJacking

“In our view, this vulnerability demands attention and mitigation,” the researchers added.

Finally, hackers could introduce malicious exporters through abandoned or renamed GitHub repositories, a vulnerability called “RepoJacking” which, ultimately, allows them to run arbitrary code, remotely.

Aqua said that a Shodan search query came back with more than 296,000 internet-facing exporters, and 40,000 Prometheus servers, totaling roughly 336,000 vulnerable endpoints.

Unfortunately, this is not the first time Prometheus made headlines for all the wrong reasons. The Hacker News reminds that both JFrog and Sysdig warned about sensitive data leakage through the toolkit, back in 2021 and 2022, respectively.

“Unauthenticated Prometheus servers enable direct querying of internal data, potentially exposing secrets that attackers can exploit to gain an initial foothold in various organizations,” Aqua concluded.

While there don’t seem to be any patches for these flaws, the researchers did suggest a number of mitigations, including adding proper authentication mechanisms, limiting external exposure, and monitoring and securing debugging endpoints. Finally, users should limit resource exhaustion, and inspect open-source links to avoid RepoJacking.

Via The Hacker News

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Image depicting a hand on a scanner
Hackers are targeting unpatched ServiceNow instances that exploit 3 separate year-old vulnerabilities
Data Breach
Thousands of widely-used public workspaces are leaking data
WordPress
Another top WordPress plugin found carrying critical security flaws
A graphic showing someone on a tablet working through a supply chain.
Security issue in open source software leaves businesses concerned for systems
A person's fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
Veeam backup software has a serious security flaw - here's how to stay safe
A VPN runs on a mobile phone placed on a laptop keyboard
Major new online tunneling vulnerability could put millions of devices at risk
Latest in Security
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Oracle
Oracle denies data breach after hacker claims to hold six million records
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Latest in News
A phone showing a ChatGPT app error message
ChatGPT is down for many – here's what's going on
AirPods Max with USB-C in every color
Apple's AirPods Max with USB-C will get lossless audio in April, but you'll need to go wired
A woman sitting in a chair looking at a Windows 11 laptop
It looks like Microsoft might have thought better about banishing Copilot AI shortcut from Windows 11
US flags
US government IT contracts set to be centralized in new Trump order
Tesla Roadster 2
Tesla is still taking deposits on its long overdue Roadster, despite promising it would arrive in 2020
Samsung HW-Q990D soundbar with Halloween theme over the top
Samsung promises to repair soundbars bricked by its disastrous software update for free – but it'll probably involve shipping
More about security
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol

Coinbase targeted after recent Github attacks
Oracle

Oracle denies data breach after hacker claims to hold six million records
Half man, half AI.

Ensuring your organization uses AI responsibly: a how-to guide
See more latest