Compliance Impact

This vulnerability allows an attacker with access to modify the Glances configuration file to write arbitrary content to any filesystem path, execute arbitrary commands, or exfiltrate data. Such unauthorized actions can lead to breaches of confidentiality, integrity, and availability of sensitive data.

Because of these impacts, organizations using affected versions of Glances may face challenges in maintaining compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access or modification.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in the Glances monitoring tool versions from 4.0.8 until 4.5.5 in the secure_popen() function located in glances/secure.py. The function interprets shell operators such as > (file redirection), | (pipe), and && (command chaining) in command strings without validating the target file paths or commands.

When Application Monitoring Process (AMP) modules load their command or service_cmd configuration values from the glances.conf file, these values are passed directly to secure_popen() without any sanitization. This allows an attacker who can modify the Glances configuration file to execute arbitrary actions such as writing arbitrary content to any filesystem path, chaining arbitrary commands, or piping command output to arbitrary programs.

The vulnerability is fixed in version 4.5.5.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker with the ability to modify the Glances configuration file to execute arbitrary commands and write arbitrary files on the system.

• Arbitrary file write: An attacker can write any content to any file path, potentially overwriting critical system or application files.
• Command chaining: The attacker can execute multiple chained commands, increasing the scope of malicious actions.
• Command output piping: The attacker can pipe command outputs to arbitrary programs, potentially leading to data leakage or further exploitation.

Overall, this can lead to full system compromise, data loss, or disruption of services.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Glances to version 4.5.5 or later, where the issue has been fixed.

Additionally, restrict or prevent unauthorized modification of the Glances configuration file (glances.conf) to avoid attackers injecting malicious commands.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the Glances configuration file (glances.conf) contains any command or service_cmd values that include shell operators such as >, |, or && which are passed to the secure_popen() function without sanitization.

You can manually inspect the glances.conf file for suspicious command strings that use these operators.

Additionally, monitoring for unexpected file writes or command executions triggered by Glances could indicate exploitation attempts.

Example commands to detect suspicious patterns in the configuration file include:

• grep -E '(>|\||&&)' /path/to/glances.conf
• grep -rE '(>|\||&&)' /etc/glances/ # if configuration is stored in /etc/glances/
• audit or monitor file changes to glances.conf using tools like inotifywait or auditd to detect unauthorized modifications.

Useful 0 Not Useful 0