Glances Unauthenticated Secrets Exposure Vulnerability in API Args Endpoints

A vulnerability in Glances, an open-source cross-platform system monitoring tool, allows for the unauthenticated exposure of sensitive configuration secrets through the '/api/v4/args' and '/api/v4/args/{item}' endpoints. These endpoints leak the complete command-line arguments namespace, including the password hash, SNMP community strings, authentication keys, and the configuration file path. This issue arises when Glances is run without a password, the default setting, making these endpoints accessible without authentication.

Impact

This vulnerability can lead to unauthorized network reconnaissance, allowing attackers to enumerate SNMP credentials, usernames, file paths, and runtime configuration. Additionally, if authentication is enabled, an authenticated user can retrieve the password hash and perform offline brute-force attacks. The exposed SNMP community strings and v3 authentication keys could be used to access other network devices monitored by Glances.

Reproduction

To reproduce this vulnerability, start Glances in web server mode without setting a password. Once the server is running, access the '/api/v4/args' endpoint to retrieve sensitive information, including SNMP credentials and the configuration file path. Alternatively, if Glances is started with password authentication, the password hash can be accessed through the same endpoint.

Remediation

Users should update to Glances version 4.5.2, which addresses this vulnerability by redacting sensitive fields in unauthenticated API responses. Instructions for downloading the latest version are available on the Glances GitHub releases page.