Prometheus, a widely used open-source monitoring and alerting toolkit, has been found to have serious vulnerabilities that could allow cybercriminals to steal sensitive data, run malicious code, or even launch denial-of-service (DoS) attacks.
Prometheus is a powerful tool designed to record, query and visualize real-time metrics from systems, containers, and applications.
Researches from Aqua Security have highlighted that Prometheus servers and exporters often lack proper authentication. This makes it easier for attackers to access sensitive information like API keys and credentials. Additionally, certain components, such as the /debug/pprof endpoint, can impact the host machine and make it vulnerable to DoS attacks.
Their research has found over 336,000 Prometheus-related endpoints exposed to the internet, making them vulnerable to these attacks.
One of the biggest risks they saw was “RepoJacking” where attackers exploit abandoned or renamed GitHub repositories to inject malicious exporters into Prometheus, allowing them to run harmful code remotely.
Recommendations
While there aren’t any official patches available for these vulnerabilities yet, Aqua researchers suggest several ways to mitigate the risks:
Ensure Prometheus servers and exporters are secured with robust authentication mechanisms, where only authorized users can access sensitive data or interact with internals. Also minimize the exposure of Prometheus to the public internet, utilizing secure connections like VPNs or private networks for external access.
The “/debug/pprof” endpoint, which can be exploited for DoS attacks, should never be publicly accessible. Limit access to debugging and profiling endpoints to internal users only, or disable them entirely in production environments.
They also recommend setting limitations or caps on hardware such as CPU and RAM caps to prevent launched attacks that drain resources and always inspect open-source links to ensure original and trusted sources and avoid RepoJacking.
You can review Aqua’s full research and recommendations on their analysis page.
Leave a Reply