A big-scale unauthenticated scraping of publicly accessible and non-secured endpoints from older variations of Prometheus occasion monitoring and alerting answer could possibly be leveraged to inadvertently leak delicate data, in line with the most recent analysis.
“As a consequence of the truth that authentication and encryption help is comparatively new, many organizations that use Prometheus have not but enabled these options and thus many Prometheus endpoints are utterly uncovered to the Web (e.g. endpoints that run earlier variations), leaking metric and label dat,” JFrog researchers Andrey Polkovnychenko and Shachar Menashe mentioned in a report.
Prometheus is an open-source system monitoring and alerting toolkit used to gather and course of metrics from completely different endpoints, alongside enabling simple statement of software program metrics reminiscent of reminiscence utilization, community utilization, and software-specific outlined metrics, such because the variety of failed logins to an online software. Help for Transport Layer Safety (TLS) and fundamental authentication was launched with model 2.24.0 launched on January 6, 2021.
The findings come from a scientific sweep of publicly-exposed Prometheus endpoints, which have been accessible on the Web with out requiring any authentication, with the metrics discovered exposing software program variations and host names, which the researchers mentioned could possibly be weaponized by attackers to conduct reconnaissance of a goal setting earlier than exploiting a specific server or for post-exploitation strategies like lateral motion.
Among the endpoints and the data disclosed are as follows –
- /api/v1/standing/config – Leakage of usernames and passwords supplied in URL strings from the loaded YAML configuration file
- /api/v1/targets – Leakage of metadata labels, together with setting variables in addition to person and machine names, added to focus on machine addresses
- /api/v1/standing/flags – Leakage of usernames when offering a full path to the YAML configuration file
Much more concerningly, an attacker can use the “/api/v1/standing/flags” endpoint to question the standing of two administration interfaces — “internet.enable-admin-api” and “internet.enable-lifecycle” — and if discovered manually enabled, exploit them to delete all saved metrics and worse, shut down the monitoring server. It is price noting the 2 endpoints are disabled by default for safety causes as of Prometheus 2.0.
JFrog mentioned it discovered about 15% of the Web-facing Prometheus endpoints had the API administration setting enabled, and 4% had database administration turned on. A complete of round 27,000 hosts have been recognized by way of a search on IoT search engine Shodan.
Apart from recommending organizations to “question the endpoints […] to assist confirm if delicate information could have been uncovered,” the researchers famous that “superior customers requiring stronger authentication or encryption than what’s supplied by Prometheus, also can arrange a separate community entity to deal with the safety layer.”