Prometheus Monitoring Software Flaw Raises Data Security Concerns: Experts Warn

Security researchers have uncovered significant vulnerabilities in the Prometheus monitoring tool, revealing thousands of exposed servers and exporters leaking sensitive data and introducing risks such as denial of service (DoS) and repo jacking.

Prometheus, a leading tool in observability for monitoring applications and cloud infrastructure, has long been favored for its robust features. However, its open design comes with critical security challenges. According to its documentation, “It is presumed that untrusted users have access to the Prometheus HTTP endpoint and logs. They have access to all time series information contained in the database, plus a variety of operational/debugging information.”

Despite this warning, researchers from Aqua Nautilus discovered alarming levels of exposure through a Shodan scan. The scan identified over 40,000 Prometheus servers and more than 296,000 exporters accessible online. These instances leaked sensitive credentials, tokens, API endpoints, and other data that could enable cyberattacks.

The Risks of Prometheus Exposure

Prometheus collects various performance metrics, from CPU usage to application health. While seemingly harmless, this data can serve as a goldmine for attackers.

“We noticed that we can actually see plaintext passwords and tokens, and API addresses of internal locations that should be kept hidden,” said Assaf Morag, director of threat intelligence at Aqua Nautilus.

Among the exposed instances, one belonged to Skoda Auto, revealing the company’s subdomains, Docker registries, and images — information that attackers could exploit for reconnaissance or further breaches.

Additionally, exposed Prometheus servers are susceptible to DoS attacks. Researchers demonstrated this vulnerability by targeting the ‘/debug/pprof’ endpoint, which is enabled by default. The endpoint, meant for profiling remote hosts, can be overloaded to disrupt services or crash systems.

“The result was conclusive: We ended up stopping virtual machines each time we ran our script,” Morag explained, emphasizing the potential impact on critical systems like Kubernetes clusters.

Repojacking: A Growing Threat

Beyond data leakage and DoS, researchers identified a vulnerability in Prometheus exporters involving repo jacking. This occurs when an attacker hijacks a developer’s abandoned GitHub namespace and uploads malicious code. Projects that fail to update their links can inadvertently integrate the malware.

Prometheus documentation had references to exporters tied to freely claimable usernames, creating opportunities for remote code execution. Aqua Nautilus reported the issue, and it has since been resolved. However, repo jacking remains an underappreciated threat across open-source projects.

Mitigation Strategies

Organizations using Prometheus are advised to take immediate steps to secure their instances:

• Restrict access to Prometheus servers and exporters by removing them from public exposure or implementing robust authentication mechanisms.
• Use tools to mitigate DoS risks by hardening default configurations.
• Monitor dependencies for potential repojacking vulnerabilities using automated scanning solutions.

While addressing these challenges requires diligence, Morag warns of the complexity: “If you’re doing it for millions of open source projects, that’s where the problem starts. But if you use an automated [scanning tool], you could be safe.”

Prometheus’ popularity as an open-source observability tool underscores the need for heightened awareness and proactive security measures. Organizations must balance its powerful features with stringent security practices to protect their systems and data.