A big-scale unauthenticated scraping of publicly obtainable and non-secured endpoints from older variations of Prometheus occasion monitoring and alerting answer could possibly be leveraged to inadvertently leak delicate data, in response to the most recent analysis.
“As a result of the truth that authentication and encryption assist is comparatively new, many organizations that use Prometheus have not but enabled these options and thus many Prometheus endpoints are fully uncovered to the Web (e.g. endpoints that run earlier variations), leaking metric and label dat,” JFrog researchers Andrey Polkovnychenko and Shachar Menashe said in a report.
Prometheus is an open-source system monitoring and alerting toolkit used to gather and course of metrics from completely different endpoints, alongside enabling simple remark of software program metrics comparable to reminiscence utilization, community utilization, and software-specific outlined metrics, such because the variety of failed logins to an online software. Help for Transport Layer Safety (TLS) and primary authentication was launched with version 2.24.0 launched on January 6, 2021.
The findings come from a scientific sweep of publicly-exposed Prometheus endpoints, which had been accessible on the Web with out requiring any authentication, with the metrics discovered exposing software program variations and host names, which the researchers mentioned could possibly be weaponized by attackers to conduct reconnaissance of a goal atmosphere earlier than exploiting a selected server or for post-exploitation methods like lateral motion.
A number of the endpoints and the knowledge disclosed are as follows –
- /api/v1/standing/config – Leakage of usernames and passwords supplied in URL strings from the loaded YAML configuration file
- /api/v1/targets – Leakage of metadata labels, together with atmosphere variables in addition to person and machine names, added to focus on machine addresses
- /api/v1/standing/flags – Leakage of usernames when offering a full path to the YAML configuration file
Much more concerningly, an attacker can use the “/api/v1/standing/flags” endpoint to question the standing of two administration interfaces — “web.enable-admin-api” and “web.enable-lifecycle” — and if discovered manually enabled, exploit them to delete all saved metrics and worse, shut down the monitoring server. It is value noting the 2 endpoints are disabled by default for safety causes as of Prometheus 2.0.
JFrog mentioned it discovered about 15% of the Web-facing Prometheus endpoints had the API administration setting enabled, and 4% had database administration turned on. A complete of round 27,000 hosts have been recognized by way of a search on IoT search engine Shodan.
Apart from recommending organizations to “question the endpoints […] to assist confirm if delicate knowledge might have been uncovered,” the researchers famous that “superior customers requiring stronger authentication or encryption than what’s supplied by Prometheus, may also arrange a separate community entity to deal with the safety layer.”