Cybersecurity researchers have raised alarms over the exposure of over 300,000 Prometheus monitoring and alerting toolkit instances, highlighting serious security risks related to information leakage and potential attacks. According to a report by Aqua Security, many of these Prometheus servers and exporters lack proper authentication, allowing attackers to easily access sensitive information like credentials, API keys, and passwords. This exposure increases the chances of unauthorized access to internal data, which could be exploited for malicious purposes.
In addition to the leakage of sensitive data, the report highlighted the potential for Denial-of-Service (DoS) attacks through the “/debug/pprof” endpoints. These endpoints, which provide detailed system performance data such as memory usage and CPU statistics, could be targeted by attackers to overwhelm servers. By triggering resource-intensive operations, attackers could cause system crashes, leading to significant disruptions in services. This vulnerability adds another layer of risk for organizations relying on Prometheus servers.
Researchers also identified the “/metrics” endpoint as a critical risk factor, as it reveals valuable internal data, including subdomains, Docker registries, and API endpoints. This exposure provides attackers with essential reconnaissance data, allowing them to expand their attacks and compromise additional parts of the network. Such leaks can be leveraged to gain a foothold in organizations’ infrastructure, potentially leading to remote code execution (RCE) attacks.
The report also pointed to a growing supply chain threat in the form of RepoJacking. This involves the exploitation of renamed or deleted GitHub repositories, allowing attackers to create malicious third-party exporters with the same name as legitimate ones. Once deployed, these malicious exporters could lead to remote code execution on the affected systems. While Prometheus has addressed some of these issues, Aqua Security emphasized the importance of securing Prometheus servers and exporters with strong authentication methods, monitoring for anomalous activities, and taking proactive steps to prevent further exposure.
