Unprotected Endpoints From Older Versions Of Prometheus Can Be Leveraged To Leak Info

JFrog researchers have discovered unprotected endpoints from older versions of Prometheus event monitoring and alerting solutions. Prometheus, an open-source system monitoring and alerting toolkit, is used to collect and process metrics from different endpoints, enabling easy observation of software metrics such as memory usage, network usage and software-specific denied metrics, such as the number of failed logins to a web application. Large-scale unauthenticated scraping of publicly available and non-secured endpoints could be leveraged to leak sensitive information. Which isn’t good seeing that Prometheus is meant to help protect corporate environments.

Giora Engel, CEO and Cofounder, Neosec:

“Prometheus, like many other systems, are all based on APIs for accessing the data and managing the systems. Those systems are spun up frequently without any supervision, they are typically meant for internal use and are poorly secured, if at all. Being able to discover all the exposed APIs and finding cases of weak security is essential in order to remediate and prevent data loss. You can never rely on what’s known and documented in these cases – being able to monitor actual traffic typically discovers all those unknown services that are poorly configured.”

If you have Prometheus, now would be a very good time to update them. Because now that this is out, you can be sure that someone will try to leverage this.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: