Glances DNS Rebinding Vulnerability in REST/WebUI FastAPI Application

A vulnerability exists in the Glances monitoring tool's REST/WebUI FastAPI application, prior to version 4.5.2, allowing DNS rebinding attacks. The application accepts arbitrary 'Host' headers without validation and lacks a host allowlist, leaving the REST API, WebUI, and token endpoint accessible through attacker-controlled domains. This exposure allows the same-origin policy to be bypassed, enabling attackers to read API responses as if they originated from the same domain.

Impact

Exploitation of this vulnerability could lead to unauthorized access to the Glances REST API, WebUI, and token endpoint through DNS rebinding attacks, allowing attackers to read sensitive data from the API as if it were from the same origin.

Reproduction

To reproduce this vulnerability, first, run Glances with the web server enabled and the default bind address, which exposes the service on all network interfaces. Then, an attacker can serve JavaScript from a controlled domain. When a victim visits this domain, the attacker's DNS can be rebound to the Glances service IP. Once the domain is rebound, the victim's browser will treat it as the same origin, bypassing the same-origin policy and allowing the attacker to access the Glances API through the rebinding domain.

Remediation

Users should update to Glances version 4.5.2 or later, and configure the 'webui_allowed_hosts' setting in 'glances.conf' to restrict accepted Host header values. For public-facing deployments, it is recommended to use a reverse proxy with TLS and authentication.