A big-scale unauthenticated scraping of publicly out there and non-secured endpoints from older variations of Prometheus occasion monitoring and alerting resolution might be leveraged to inadvertently leak delicate info, in keeping with the newest analysis.
“On account of the truth that authentication and encryption assist is comparatively new, many organizations that use Prometheus have not but enabled these options and thus many Prometheus endpoints are fully uncovered to the Web (e.g. endpoints that run earlier variations), leaking metric and label dat,” JFrog researchers Andrey Polkovnychenko and Shachar Menashe mentioned in a report.
Prometheus is an open-source system monitoring and alerting toolkit used to gather and course of metrics from totally different endpoints, alongside enabling simple statement of software program metrics equivalent to reminiscence utilization, community utilization, and software-specific outlined metrics, such because the variety of failed logins to an online utility. Assist for Transport Layer Safety (TLS) and primary authentication was launched with model 2.24.0 launched on January 6, 2021.
The findings come from a scientific sweep of publicly-exposed Prometheus endpoints, which had been accessible on the Web with out requiring any authentication, with the metrics discovered exposing software program variations and host names, which the researchers mentioned might be weaponized by attackers to conduct reconnaissance of a goal setting earlier than exploiting a selected server or for post-exploitation methods like lateral motion.
A few of the endpoints and the data disclosed are as follows –
- /api/v1/standing/config – Leakage of usernames and passwords offered in URL strings from the loaded YAML configuration file
- /api/v1/targets – Leakage of metadata labels, together with setting variables in addition to person and machine names, added to focus on machine addresses
- /api/v1/standing/flags – Leakage of usernames when offering a full path to the YAML configuration file
Much more concerningly, an attacker can use the “/api/v1/standing/flags” endpoint to question the standing of two administration interfaces — “internet.enable-admin-api” and “internet.enable-lifecycle” — and if discovered manually enabled, exploit them to delete all saved metrics and worse, shut down the monitoring server. It is price noting the 2 endpoints are disabled by default for safety causes as of Prometheus 2.0.
JFrog mentioned it discovered about 15% of the Web-facing Prometheus endpoints had the API administration setting enabled, and 4% had database administration turned on. A complete of round 27,000 hosts have been recognized by way of a search on IoT search engine Shodan.
Apart from recommending organizations to “question the endpoints […] to assist confirm if delicate information might have been uncovered,” the researchers famous that “superior customers requiring stronger authentication or encryption than what’s offered by Prometheus, may arrange a separate community entity to deal with the safety layer.”