RCE Attacks: More Than 300,000 Prometheus Instances Exposed

Recent media reports have cited cybersecurity researchers warning of thousands of servers that are hosting the Prometheus monitoring and alerting toolkit being at risk. This risk prevails due to public access, allowing hackers to leak data and launch RCE attacks. In this article, we’ll learn more about what Prometheus is and the vulnerabilities experts have uncovered. Let’s begin! 

What Is Prometheus? 

Before we dive into the details of the vulnerabilities and the risk, what you need to know is that promises is an open-source monitoring and altering toolkit. It’s quite frequently used in modern monitoring strategies And functions by scraping metrics from targets at the required intervals. 

If you do that it stores them locally in a time series database and provides powerful query language for real-time analysis. The toolkit functions with other components that allow handling alerts and visualization which makes it feasible for different environments. The toolkit also relies on exporters that are installed on systems that do not irritate metrics in the Prometheus format. 

RCE Attacks: Prometheus Vulnerabilities And Flaws 

Aqua, a cloud security provider, has recently uncovered several vulnerabilities within the Prometheus ecosystem. These findings are basically located across these major areas that include information disclosure, code execution, and denial-of-service (DoS). Providing insights about the flaws experts have stated that:  

“We found that exposed Prometheus servers or exporters, often lacking proper authentication, allowed attackers to easily gather sensitive information, such as credentials and API keys. Additionally, we identified an alarming risk of DoS attacks stemming from the exposure of pprof debugging endpoints, which, when exploited, could overwhelm and crash Prometheus servers, Kubernetes pods and other hosts.”

Apart from this, their investigation has also revealed a remote code execution risk being dubbed “RepoJacking.” This increases the likelihood of RCE attacks as it can help hackers introduce malicious exporters. Commenting on the number of exposed servers, cybersecurity experts at Aqua have stated that:

“Our findings highlight that at least 336,000 servers expose their Prometheus servers and exporters to the internet—a practice that poses significant security risks. It is crucial to restrict public access to these servers, as attackers can easily exploit this exposure to target organizations.”

Exposed Servers Disclosing Information 

As far as RCE attacks and exposed servers are concerned, experts within cybersecurity have warned of the risks associated with exposing Prometheus servers and exporters. However, it’s worth noting that despite such warnings, the number of exposed prometheus instances remains alarming. 

Those keen on ensuring protection must understand that such widespread exposure leads to users inadvertently revealing numerous sensitive secrets through Prometheus components. In addition, when such servers are connected to the public internet, the risk of RCE attacks greatly increases

This happens because no authentication measures are in place and such misconfigurations allow queries to be conducted to the exposed datasets by anyone. From here onwards, hackers can exploit the access and deploy scanning and other malicious tools used to conduct RCE attacks and to steal information. 

Providing insights about the endpoints, security experts have stated that:  

“In some cases, this endpoint can reveal internal API endpoints. This type of exposure can inadvertently allow attackers to expand their attack surface, gain access to sensitive data, and learn and exploit internal backend functionalities that were not intended for public use.In addition, exposed Prometheus servers and the /metrics endpoint can reveal subdomains, Docker registries, images, and other information about a company. ”

RepoJacking Code Execution 

Expert research has revealed that several Prometheus exporters are vulnerable to the RepoJacking techniques which can be used to cause RCE attacks. Before we dive into more details, what you need to know is that GitHub RepoJacking is basically a supply chain attack that allows attackers to take control of the dependencies of GitHub projects or an entire project. 

Once that control is acquired it can be used to run malicious code. It’s important to understand that this occurs when an RCE attacks hacker creates a new repository using or changing the name of that was deleted by the owner. After this, any user who uses the old repository automatically downloads the malicious code that is used for RCE attacks. Commenting on such a methodology in the case of Prometheus, experts stated that:  

“We discovered that several exporters listed in its official documentation were vulnerable to RepoJacking. An attacker could claim the now-available usernames referenced in the documentation, recreate an exporter with the same name, and host a malicious version. Unsuspecting users following the documentation could unknowingly clone and deploy this malicious exporter, leading to remote code execution on their systems.” 

In addition, experts have also highlighted some of the key exporters they would to be vulnerable and once that could likely be used for RCE attacks. These exporters include:  

In an effort to ensure online safety from online attacks, these exporters have been reported to Prometheus. 

Mitigation Protocols To Ensure Safety

Given the findings of the experts, it can be stated that cyber threats like data breaches and RCE attacks are becoming more and more complex. In the case of Prometheus, experts noted that RCE attacks hackers can exploit endpoints and breach networks to carry out their malicious intentions. 

This can lead to detrimental consequences for both organizational and individual users. To mitigate the risk of such RCE attacks and limit exposure to online threats, some of the many protection measures that can be deployed include:   

• Authentication and authorization – users must understand that Prometheus servers and exporters should be protected with authentication protocols. Doing so will ensure that only users that are authorized can access sensitive data and systems. 
• External exposure limitations – developers should also focus on developing Prometheus in a way that its exposure and reliance on the public internet is limited. In addition, to limit RCE attacks, secure communication channels like VPNs should be used when connecting to the public internet is necessary. 
• Monitoring and securing debugging endpoints – developers must also ensure that endpoints which can be used for DoS and RCE attacks are not publicly exposed and that access to profiling and debugging endpoints should also be limited. 
• Limiting resource exhaustion – experts have also recommended placing guardrails that limit resource exhaustion. Common examples of this include CPU and RAM limitations.
• Inspecting open-source links – users must also inspect open-source links and make sure they are secure before downloading. 

Conclusion 

Prometheus’s vulnerabilities highlight the pressing need for robust security practices in open-source tools. Misconfigurations, exposed endpoints, and RepoJacking risks serve as stark reminders of the threats lurking in public access systems. 

By implementing proper authentication, limiting exposure, securing debugging endpoints, and carefully vetting open-source links, organizations can safeguard against RCE attacks and data breaches. 

As cyber threats evolve, proactive measures are essential to protect sensitive information and maintain system integrity. Ensuring these practices are in place not only mitigates risk but also builds a more secure digital ecosystem for users worldwide.

The sources for this piece include articles in The Hacker News and Aqua.