A massive unauthenticated scraping of publicly available and non-secured endpoints from previous versions of the Prometheus event monitoring and alerting service could be used to unintentionally expose critical data, according to the latest research.
JFrog researchers Andrey Polkovnychenko and Shachar Menashe stated in a report, "Due to the fact that authentication and encryption support is relatively new, many organizations that use Prometheus haven't yet enabled these features and thus many Prometheus endpoints are completely exposed to the Internet (e.g. endpoints that run earlier versions), leaking metric and label dat."
Prometheus is an open-source system monitoring and alerting toolkit that collects and process metrics from various endpoints while also allowing for easy analysis of software metrics such as memory usage, network usage, and software-specific defined metrics such as the number of faulty logins to a web application.
With the release of version 2.24.0 in January, support for Transport Layer Security (TLS) and basic authentication was added.
The findings are the result of a methodical movement of publicly exposed Prometheus endpoints that were available on the Internet without any authentication. The metrics discovered were found revealing software versions and hostnames, which the researchers stated could be weaponized by intruders to perform an inspection of a target environment before exploiting a specific server or for post-exploitation methods like lateral movement.
The following are some of the endpoints and information disclosed:
- /api/v1/status/config - Leakage of usernames and passwords provided in URL strings from the loaded YAML configuration file
- /api/v1/targets - Leakage of metadata labels, including environment variables as well as user and machine names, added to target machine addresses
- /api/v1/status/flags - Leakage of usernames when providing a full path to the YAML configuration file
An attacker can use the "/api/v1/status/flags" endpoint to request the status of two administration interfaces — "web.enable-admin-api" and "web.enable-lifecycle" — and, if discovered manually enabled, exploit them to discard all saved metrics and, in the worst-case scenario, shut down the monitoring server. It's noteworthy that the two endpoints are disabled by default for security reasons of Prometheus 2.0.
As per JFrog, around 15% of the Internet-facing Prometheus endpoints had the API management setting activated, and 4% had database management enabled. A total of around 27,000 hosts were found through a search on the IoT search engine Shodan.
In addition to advising organisations to "query the endpoints [...] to help verify if sensitive data may have been exposed," the researchers stated that advanced users who require stronger authentication or encryption than what Prometheus provides can also set up a different network entity to manage the additional security.