CVE-2021-29622 in Prometheus
Summary
by MITRE • 05/20/2021
Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/22/2021
The vulnerability identified as CVE-2021-29622 affects Prometheus, an widely-used open-source monitoring system and time series database that serves as a critical component in modern infrastructure monitoring. This issue emerged in version 2.23.0 when Prometheus introduced a new user interface and implemented URL redirection mechanisms to ensure seamless transition for users. The vulnerability stems from a flawed implementation in the URL handling logic specifically within the /new endpoint, which was designed to redirect requests from the new UI path to the default UI path. However, the code contained a security flaw that allowed attackers to manipulate URL parameters in a way that could bypass the intended redirection behavior and instead force arbitrary URL redirections. This represents a classic case of insecure redirection that can be exploited to perform various malicious activities including phishing attacks or credential harvesting.
The technical flaw manifests in the URL parsing and redirection logic where input validation is insufficient to prevent attackers from crafting malicious URLs that exploit the redirection mechanism. The vulnerability specifically affects the /new endpoint which was introduced to provide a transition path for users moving from the old UI to the new UI. Attackers can construct URLs that manipulate the redirection parameters to redirect users to malicious domains while maintaining the appearance of legitimate Prometheus navigation. This vulnerability falls under CWE-601, which describes URL redirection vulnerabilities where applications redirect users to external sites without proper validation of the target URL. The flaw demonstrates poor input sanitization and inadequate validation of redirect targets, allowing attackers to potentially redirect users to attacker-controlled domains.
The operational impact of this vulnerability is significant for organizations relying on Prometheus for monitoring their infrastructure, as it creates a potential attack vector that could be exploited by threat actors to compromise user security. When users access a compromised Prometheus server with a maliciously crafted URL, they could be redirected to phishing sites designed to capture credentials or other sensitive information. The vulnerability also poses risks to internal network security since it could be used to redirect users to malicious domains within the organization's network or to external sites that might be used for further exploitation. This type of vulnerability particularly affects environments where users might not be security-aware and could inadvertently click on links that redirect them to malicious sites. The attack vector aligns with ATT&CK technique T1566.001, which involves phishing through spearphishing attachments or links, making this vulnerability particularly dangerous in enterprise environments.
Organizations affected by this vulnerability should immediately implement the recommended mitigations to protect their monitoring infrastructure. The primary solution involves upgrading to Prometheus versions 2.26.1 or 2.27.1, which contain the necessary patches to address the redirection flaw. Additionally, the permanent fix included in version 2.28.0 involves the complete removal of the /new endpoint, eliminating the attack surface entirely. A temporary workaround recommended by the Prometheus team involves configuring reverse proxy servers to block access to the /new endpoint, effectively preventing attackers from reaching the vulnerable code path. Security administrators should also consider implementing network-level controls and monitoring for unusual redirection patterns that might indicate exploitation attempts. The vulnerability highlights the importance of thorough input validation and proper URL handling in web applications, particularly in monitoring systems that are frequently accessed by multiple users and may be exposed to external threats.