Thursday, January 23, 2025
HomeCVE/vulnerabilityOver 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

Published on

SIEM as a Service

Follow Us on Google News

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks from pprof endpoints, and potential code execution threats, which could lead to data breaches, system outages, and unauthorized access.

Vulnerable Prometheus servers are exposed to internet risk exploitation by attackers, which includes a critical “RepoJacking” vulnerability, allowing malicious exporters to be introduced into abandoned or renamed GitHub repositories.

Untrusted users might be able to view Prometheus server information, logs, and debugging details, despite authentication support. It’s unclear if practitioners commonly expose Prometheus servers without authentication, though it’s a potential security risk.

Prometheus exporters in Shodan

Shodan analysis identified over 336,000 internet-exposed Prometheus servers and exporters, potentially leaving them vulnerable to unauthorized access and exploitation.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

Promtheus servers and exporters are frequently exposed, leading to the inadvertent disclosure of sensitive secrets, as researchers have highlighted this risk, but the number of exposed instances remains substantial, posing a significant security threat.

Unauthenticated Prometheus servers and exporters expose internal data, enabling attackers to query and extract sensitive information such as credentials and API keys, potentially compromising organizational security.

Secrets Exposed in Prometheus Servers on Port 9090

Exposed Node Exporter and Prometheus metrics endpoints can leak sensitive information, including internal API endpoints, subdomains, Docker registries, and images, potentially expanding the attack surface and enabling attackers to gain unauthorized access to systems and data. 

Prometheus components and their use of the Go pprof package for performance profiling, as the http/pprof package provides a /debug/pprof endpoint for accessing profiling data via HTTP, as demonstrated in Prometheus server and node exporter. 

Misconfigured Prometheus servers and exporters expose sensitive information through the default-enabled /debug/pprof endpoint, where attackers can exploit this vulnerability to access and analyze heap profiles, traces, and other system data, potentially leading to unauthorized access and control.

 An exposed Prometheus server/Node exporter enabling access to the ‘/debug/pprof’

The exposed /debug/pprof endpoint on Prometheus components and Node Exporter is vulnerable to Denial of Service (DoS) attacks.

Exploiting this vulnerability, attackers can send multiple requests to specific endpoints, overwhelming the server’s resources and causing performance degradation or service outages. 

Node Exporter deployments on hosts or Kubernetes pods are vulnerable to DoS attacks targeting the /debug/pprof endpoint. Successful attacks can lead to host unresponsiveness, increased operational overhead, degraded cluster performance, and resource exhaustion. 

The Prometheus /debug/pprof endpoint, when exposed publicly, presents a significant security risk, allowing attackers to launch DoS attacks and potentially compromise the underlying host. 

 Exposed Prometheus server of Skoda

RepoJacking exploits vulnerabilities in Prometheus exporters by allowing attackers to take over GitHub repositories referenced in official documentation, which enables them to replace legitimate exporters with malicious versions, leading to remote code execution on systems of unsuspecting users.

According to AquaSec, a GitHub redirect vulnerability allows attackers to potentially takeover usernames and host malicious exporters, redirecting users to compromised versions. 

Vulnerabilities in Prometheus, including unauthenticated access, can expose sensitive information and lead to DoS attacks or code execution.

Mitigations include strong authentication, limiting external exposure, securing debugging endpoints, resource limitations, and verifying open-source links to prevent supply chain attacks.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

Microsoft Unveils New Identity Secure Score Recommendations in General Availability

Microsoft has announced the general availability of 11 new Identity Secure Score recommendations in...