JFrog researchers have discovered unprotected endpoints from older versions of Prometheus event monitoring and alerting solutions. Prometheus, an open-source system monitoring and alerting toolkit, is used to collect and process metrics from different endpoints, enabling easy observation of software metrics such as memory usage, network usage and software-specific denied metrics, such as the number of failed logins to a web application. Large-scale unauthenticated scraping of publicly available and non-secured endpoints could be leveraged to leak sensitive information. Which isn’t good seeing that Prometheus is meant to help protect corporate environments.
Giora Engel, CEO and Cofounder, Neosec:
“Prometheus, like many other systems, are all based on APIs for accessing the data and managing the systems. Those systems are spun up frequently without any supervision, they are typically meant for internal use and are poorly secured, if at all. Being able to discover all the exposed APIs and finding cases of weak security is essential in order to remediate and prevent data loss. You can never rely on what’s known and documented in these cases – being able to monitor actual traffic typically discovers all those unknown services that are poorly configured.”
If you have Prometheus, now would be a very good time to update them. Because now that this is out, you can be sure that someone will try to leverage this.
Like this:
Like Loading...
Related
This entry was posted on October 14, 2021 at 2:23 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
The IT Nerd 
Unprotected Endpoints From Older Versions Of Prometheus Can Be Leveraged To Leak Info
JFrog researchers have discovered unprotected endpoints from older versions of Prometheus event monitoring and alerting solutions. Prometheus, an open-source system monitoring and alerting toolkit, is used to collect and process metrics from different endpoints, enabling easy observation of software metrics such as memory usage, network usage and software-specific denied metrics, such as the number of failed logins to a web application. Large-scale unauthenticated scraping of publicly available and non-secured endpoints could be leveraged to leak sensitive information. Which isn’t good seeing that Prometheus is meant to help protect corporate environments.
Giora Engel, CEO and Cofounder, Neosec:
“Prometheus, like many other systems, are all based on APIs for accessing the data and managing the systems. Those systems are spun up frequently without any supervision, they are typically meant for internal use and are poorly secured, if at all. Being able to discover all the exposed APIs and finding cases of weak security is essential in order to remediate and prevent data loss. You can never rely on what’s known and documented in these cases – being able to monitor actual traffic typically discovers all those unknown services that are poorly configured.”
If you have Prometheus, now would be a very good time to update them. Because now that this is out, you can be sure that someone will try to leverage this.
Share this:
Like this:
Related
This entry was posted on October 14, 2021 at 2:23 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.