Science & Technology

Experts warn about unprotected Prometheus endpoints that expose sensitive information

According to the latest research, sensitive information was accidentally leaked using extensive unauthenticated scraping of publicly available unsecured endpoints from older versions of Prometheus event monitoring and alerting solutions. There is likely to be.

“Because authentication and encryption support is relatively new, many organizations using Prometheus have not yet enabled these features, so many Prometheus endpoints (such as endpoints running earlier versions) are full. Published on the internet and leaking metrics and labels. Dat “, JFrog researchers Andrey Polkovnychenko and Shachar Menashe Said In the report.

Prometheus Is an open source system monitoring and alerting toolkit used to collect and process metrics from different endpoints, such as software metrics such as memory usage, network usage, and the number of failed logins. Easily monitor software-specific predefined metrics. Web application.Transport Layer Security (TLS) and Basic Authentication Support Version 2.24.0 Released on January 6, 2021.

Automatic GitHub backup

The findings came from a systematic sweep of published Prometheus endpoints that were accessible on the Internet without the need for authentication, and found that the software version and hostname were publicly available. Researchers say the indicators could allow attackers to use weapons for reconnaissance. Target your environment before or after exploiting a particular server, or for post-abuse techniques such as lateral movement.


Several end point The information disclosed is as follows.

  • / api / v1 / status / config -Leaked username and password provided in the URL string from the loaded YAML configuration file
  • / api / v1 / targets -Leakage of metadata labels such as environment variables, usernames, machine names, etc. added to the target machine address
  • / api / v1 / status / flags -Username leak when providing full path to YAML configuration file
Enterprise password management

Even more worrisome, an attacker could use the “/ api / v1 / status / flags” endpoint to query the status of the two management interfaces — “web.enable-admin-api” When “web.enable-lifecycle“—If manually enabled, abuse them to remove all stored metrics and, worse, shut down the monitoring server. Prometheus 2.0 and later, for security reasons. Note that the two endpoints are disabled by default.


JFrog said he found that about 15% of Prometheus endpoints connected directly to the Internet had API management settings enabled and 4% had database management turned on. A search on the IoT search engine Shodan identified a total of approximately 27,000 hosts.

In addition to encouraging organizations to “query endpoints” […] To see if sensitive data may be exposed, “advanced users who need stronger authentication or encryption than those provided by Prometheus have another to handle the security layer. You can also set up network entities, “says the researchers.

Experts warn about unprotected Prometheus endpoints that expose sensitive information Experts warn about unprotected Prometheus endpoints that expose sensitive information

Back to top button