Glances IP Plugin SSRF Vulnerability Leading to Credential Leakage
A server-side request forgery (SSRF) vulnerability exists in the Glances IP plugin due to improper validation of the public_api configuration parameter, allowing attackers to force outbound HTTP requests and potentially leak credentials via the Authorization header.
A server-side request forgery (SSRF) vulnerability has been identified in the Glances IP plugin, affecting versions prior to 4.5.4. The vulnerability stems from insufficient validation of the public_api configuration parameter. An attacker with the ability to modify the Glances configuration file can exploit this flaw to force the application to make HTTP requests to arbitrary internal or external endpoints. Furthermore, if public_username and public_password are configured, Glances automatically includes these credentials within the Authorization: Basic header of the outbound requests, leading to potential credential leakage to attacker-controlled servers. This issue allows attackers to probe internal network services, retrieve sensitive data from cloud metadata endpoints (e.g., AWS, Azure, GCP), and exfiltrate credentials. The root cause is the direct usage of the public_api value within the urlopen_auth function without proper validation.
Attack Chain
- Attacker gains access to the Glances configuration file (e.g., through compromised credentials or exposed configuration management).
- Attacker modifies the
glances.conffile, settingpublic_apito a malicious URL, such ashttp://127.0.0.1:9999/ssrf-pocor a cloud metadata endpoint (http://169.254.169.254/). - Attacker sets
public_usernameandpublic_passwordin theglances.conffile to capture the Basic Authentication header. - The Glances application, particularly the IP plugin, reads the modified configuration file during startup or refresh.
- The
ThreadPublicIpAddressclass initiates an HTTP request to the attacker-controlled URL using theurlopen_authfunction inglances/globals.py. - The
urlopen_authfunction sends the request with theAuthorization: Basicheader containing the configured username and password, to the attacker controlled endpoint. - The attacker's server receives the request, captures the leaked credentials from the Authorization header, and potentially uses them for further exploitation.
- The Glances API endpoint
/api/4/ipreflects the attacker-controlled data, potentially injecting arbitrary information into the application.
Impact
Successful exploitation of this SSRF vulnerability can have several serious consequences. Attackers can gain unauthorized access to internal network services and sensitive data residing on the local machine or within the internal network. Credential leakage, due to the inclusion of usernames and passwords in the Authorization header, can lead to further compromise of other systems and services. Cloud metadata endpoints can be queried to obtain sensitive credentials for cloud environments (AWS, Azure, GCP). Furthermore, by manipulating the response received from the attacker-controlled server, arbitrary data can be injected into the Glances application, potentially leading to further exploitation or disruption of services.
Recommendation
- Deploy the following Sigma rule to detect modifications to the Glances configuration file to identify potential exploitation attempts.
- Apply input validation to the
public_apiconfiguration parameter within the Glances IP plugin to enforce scheme restrictions (http/https only) and validate the destination host, mitigating SSRF vulnerabilities as detailed in the overview. - Implement network segmentation to limit the impact of successful SSRF attacks by restricting access to internal resources from the Glances server.
- Monitor network connections originating from the Glances server for suspicious outbound traffic to internal or cloud metadata IP ranges.
Detection coverage 3
Detect Glances Configuration File Modification
mediumDetects modifications to the Glances configuration file, which could indicate an attempt to exploit the SSRF vulnerability.
Detect Outbound Connection to Metadata IP
highDetects outbound network connections from the Glances process to cloud metadata IP addresses, potentially indicating SSRF exploitation.
Detect Public API URL in Glances Configuration
highDetects a malicious public API URL in the Glances configuration file
Detection queries are available on the platform. Get full rules →
Indicators of compromise
1
ip
| Type | Value |
|---|---|
| ip | 169.254.169.254 |