Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks from pprof endpoints, and potential code execution threats, which could lead to data breaches, system outages, and unauthorized access.

Vulnerable Prometheus servers are exposed to internet risk exploitation by attackers, which includes a critical “RepoJacking” vulnerability, allowing malicious exporters to be introduced into abandoned or renamed GitHub repositories.

Untrusted users might be able to view Prometheus server information, logs, and debugging details, despite authentication support. It’s unclear if practitioners commonly expose Prometheus servers without authentication, though it’s a potential security risk.

Shodan analysis identified over 336,000 internet-exposed Prometheus servers and exporters, potentially leaving them vulnerable to unauthorized access and exploitation.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

Promtheus servers and exporters are frequently exposed, leading to the inadvertent disclosure of sensitive secrets, as researchers have highlighted this risk, but the number of exposed instances remains substantial, posing a significant security threat.

Unauthenticated Prometheus servers and exporters expose internal data, enabling attackers to query and extract sensitive information such as credentials and API keys, potentially compromising organizational security.

Exposed Node Exporter and Prometheus metrics endpoints can leak sensitive information, including internal API endpoints, subdomains, Docker registries, and images, potentially expanding the attack surface and enabling attackers to gain unauthorized access to systems and data. 

Prometheus components and their use of the Go pprof package for performance profiling, as the http/pprof package provides a /debug/pprof endpoint for accessing profiling data via HTTP, as demonstrated in Prometheus server and node exporter. 

Misconfigured Prometheus servers and exporters expose sensitive information through the default-enabled /debug/pprof endpoint, where attackers can exploit this vulnerability to access and analyze heap profiles, traces, and other system data, potentially leading to unauthorized access and control.

The exposed /debug/pprof endpoint on Prometheus components and Node Exporter is vulnerable to Denial of Service (DoS) attacks.

Exploiting this vulnerability, attackers can send multiple requests to specific endpoints, overwhelming the server’s resources and causing performance degradation or service outages. 

Node Exporter deployments on hosts or Kubernetes pods are vulnerable to DoS attacks targeting the /debug/pprof endpoint. Successful attacks can lead to host unresponsiveness, increased operational overhead, degraded cluster performance, and resource exhaustion. 

The Prometheus /debug/pprof endpoint, when exposed publicly, presents a significant security risk, allowing attackers to launch DoS attacks and potentially compromise the underlying host. 

RepoJacking exploits vulnerabilities in Prometheus exporters by allowing attackers to take over GitHub repositories referenced in official documentation, which enables them to replace legitimate exporters with malicious versions, leading to remote code execution on systems of unsuspecting users.

According to AquaSec, a GitHub redirect vulnerability allows attackers to potentially takeover usernames and host malicious exporters, redirecting users to compromised versions. 

Vulnerabilities in Prometheus, including unauthenticated access, can expose sensitive information and lead to DoS attacks or code execution.

Mitigations include strong authentication, limiting external exposure, securing debugging endpoints, resource limitations, and verifying open-source links to prevent supply chain attacks.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free