Glances Default CORS Configuration Allows Cross-Origin Credential Theft

A vulnerability in Glances, an open-source cross-platform system monitoring tool, prior to version 4.5.2, allows for cross-origin credential theft through an insecure default CORS configuration in the REST API. The server originally accepted requests from any origin while allowing credentials, which is a contradictory setup. This flaw enabled any website to make authenticated requests to the Glances API, potentially accessing sensitive system monitoring data, configuration secrets, and command line arguments from users with an active browser session. The issue has been addressed in version 4.5.2.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information via the Glances API, including system monitoring data, configuration files (which may contain secrets like database passwords and API keys), and command line arguments. This vulnerability could be particularly damaging if Glances is running without a password, as it would allow any website to access all API endpoints without authentication. Even with a password, the vulnerability could be exploited by a website that the user has authenticated through the browser's Basic Auth, using the cached credentials to access sensitive data.

Reproduction

The vulnerability can be reproduced by starting the Glances web server with the default settings, which include the insecure CORS configuration. Once the server is running, a request can be made from a different origin that includes credentials. The server will respond with CORS headers that allow the request, including the Access-Control-Allow-Credentials header. This response can be verified using a tool like curl, which can show the CORS headers returned by the server. After confirming that the CORS headers allow credentialed requests, the API can be accessed with those credentials, retrieving sensitive information that can be exfiltrated to an external server.

Remediation

Users should update to Glances version 4.5.2, which corrects the CORS configuration by removing the wildcard origin allowance and disabling credentials by default. After updating, users must explicitly configure allowed origins if they require credentialed cross-origin access.