TCP Monitoring

Port 9090 (Prometheus)

Learn about port 9090 (Prometheus) - security risks, vulnerabilities, and common uses. Find devices with port 9090 open.

Quick Info

Port Number

9090

Protocol

TCP

Service

Prometheus

IANA Name

Prometheus

Service Description

Port 9090 (TCP) is commonly associated with Prometheus, an open-source systems monitoring and alerting toolkit. Prometheus collects metrics from configured targets by scraping HTTP endpoints at regular intervals. These targets expose metrics in a specific text-based format, which Prometheus parses and stores in a time-series database. The service works by using a configuration file (prometheus.yml) that defines the targets to scrape and the scrape interval. Prometheus then sends HTTP GET requests to these targets, expecting a response containing metrics in the Prometheus exposition format. These metrics are time-stamped and stored, allowing for querying, graphing, and alerting based on defined rules.

## Firewall Recommendations

If Prometheus is used internally within a trusted network, access to port 9090 should be restricted to authorized systems only. If external access is required, it is strongly recommended to implement robust authentication and authorization mechanisms, such as TLS encryption and mutual authentication. Consider using a reverse proxy in front of Prometheus to handle authentication and authorization, and to filter potentially malicious requests. Regular security audits and vulnerability scanning should be performed to identify and address any potential security weaknesses. If Prometheus is not required, block port 9090 to prevent unauthorized access.

Security Information

Prometheus, when exposed without proper authentication and authorization, presents significant security risks. Attackers can potentially gain access to sensitive system metrics, including CPU usage, memory consumption, network traffic, and application-specific data. This information can be used to identify vulnerabilities, plan denial-of-service attacks, or exfiltrate sensitive data. Furthermore, if Prometheus is configured with write access or access to its API without authentication, attackers could potentially manipulate the monitoring configuration, inject malicious metrics, or disrupt the monitoring process. The lack of authentication on the Prometheus endpoint is a common oversight that makes it an attractive target for attackers seeking to gain insights into a system's internal workings or disrupt its operation.

Known Vulnerabilities

CVE	Name	Severity	Description
CVE-2023-46844	Prometheus Information Disclosure	Medium	Prometheus v2.48.0 and later is vulnerable to information disclosure due to the /api/v1/status/flags endpoint exposing command-line flags that may contain secrets.
CVE-2023-3890	Prometheus: Denial of Service via memory exhaustion	High	A vulnerability was found in prometheus. It has been rated as problematic. Affected by this issue is the component HTTP Handler. The manipulation leads to denial of service (memory exhaustion). The attack needs to be approached remotely.