{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33641/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Glances"],"_cs_severities":["high"],"_cs_tags":["glances","command-injection","privilege-escalation","cve-2026-33641"],"_cs_type":"advisory","_cs_vendors":["Glances"],"content_html":"\u003cp\u003eGlances, a system monitoring tool, contains a command injection vulnerability in versions 4.5.2 and earlier. The vulnerability stems from the dynamic configuration parsing in \u003ccode\u003eConfig.get_value()\u003c/code\u003e, where substrings enclosed in backticks are interpreted and executed as system commands. This behavior occurs without proper validation or restriction, allowing an attacker to inject arbitrary commands. If an attacker can modify or influence the Glances configuration files, these commands will execute automatically with the privileges of the Glances process. This is particularly concerning in deployments where Glances runs with elevated privileges, such as when it is configured as a system service. The vulnerability is tracked as CVE-2026-33641.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to the Glances configuration file (e.g., through misconfigured file permissions, shared writable directories, or compromised configuration management systems).\u003c/li\u003e\n\u003cli\u003eAttacker modifies the configuration file to include a malicious command within backticks in a configuration value (e.g., \u003ccode\u003eurl_prefix = 'id'\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eGlances is started or the configuration is reloaded.\u003c/li\u003e\n\u003cli\u003eDuring configuration parsing, the \u003ccode\u003eConfig.get_value()\u003c/code\u003e function in \u003ccode\u003eglances/config.py\u003c/code\u003e identifies the backtick-enclosed substring.\u003c/li\u003e\n\u003cli\u003eThe identified command is extracted and passed to the \u003ccode\u003esystem_exec()\u003c/code\u003e function in \u003ccode\u003eglances/globals.py\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esystem_exec()\u003c/code\u003e executes the command using \u003ccode\u003esubprocess.run()\u003c/code\u003e effectively running the injected code on the host.\u003c/li\u003e\n\u003cli\u003eThe output of the executed command replaces the original configuration value.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary command execution with the privileges of the Glances process, potentially leading to privilege escalation if Glances runs with elevated permissions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the system with the privileges of the Glances process. If Glances is running as root or another privileged user, this can lead to full system compromise and privilege escalation. The vulnerability affects any system where Glances versions 4.5.2 or earlier is installed and the configuration file is modifiable by a malicious actor. Scenarios include misconfigured file permissions allowing unauthorized config modification, shared systems where configuration directories are writable by multiple users, container environments with mounted configuration volumes, and automated configuration management systems that ingest untrusted data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Glances to a version greater than 4.5.2 to patch CVE-2026-33641.\u003c/li\u003e\n\u003cli\u003eImplement strict file permission controls on Glances configuration files to prevent unauthorized modification (reference Attack Chain step 1).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Glances Configuration Command Injection\u003c/code\u003e to detect attempts to exploit this vulnerability by monitoring process creation events after config file modification.\u003c/li\u003e\n\u003cli\u003eMonitor file integrity of Glances configuration files using a file integrity monitoring (FIM) system and alert on unauthorized changes to configuration files (reference Attack Chain step 2).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-glances-command-injection/","summary":"Glances versions 4.5.2 and earlier are vulnerable to command injection via dynamic configuration values, allowing arbitrary command execution with the privileges of the Glances process if an attacker can modify or influence configuration files, potentially leading to privilege escalation.","title":"Glances Command Injection Vulnerability via Dynamic Configuration","url":"https://feed.craftedsignal.io/briefs/2024-01-glances-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-33641","version":"https://jsonfeed.org/version/1.1"}