📄 الوصف (الإنجليزية)
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, a Server-Side Request Forgery (SSRF) vulnerability exists in the Glances IP plugin due to improper validation of the public_api configuration parameter. The value of public_api is used directly in outbound HTTP requests without any scheme restriction or hostname/IP validation. An attacker who can modify the Glances configuration can force the application to send requests to arbitrary internal or external endpoints. Additionally, when public_username and public_password are set, Glances automatically includes these credentials in the Authorization: Basic header, resulting in credential leakage to attacker-controlled servers. This vulnerability can be exploited to access internal network services, retrieve sensitive data from cloud metadata endpoints, and/or exfiltrate credentials via outbound HTTP requests. The issue arises because public_api is passed directly to the HTTP client (urlopen_auth) without validation, allowing unrestricted outbound connections and unintended disclosure of sensitive information. Version 4.5.4 contains a patch.
🤖 ملخص AI
Glances versions prior to 4.5.4 contain a critical Server-Side Request Forgery (SSRF) vulnerability in the IP plugin that allows attackers with configuration access to force arbitrary HTTP requests to internal or external endpoints. The vulnerability is compounded by automatic credential leakage through Basic Authentication headers when public_username and public_password are configured, enabling potential data exfiltration and unauthorized access to internal services. With an available exploit and widespread use in monitoring infrastructure across Saudi organizations, immediate patching is essential.
📄 الوصف (العربية)
🤖 التحليل الذكي آخر تحليل: Apr 24, 2026 00:36
🇸🇦 التأثير على المملكة العربية السعودية
Saudi banking institutions (SAMA-regulated) using Glances for infrastructure monitoring face critical risk of internal network reconnaissance and credential theft, potentially compromising SAMA compliance requirements. Government agencies (NCA oversight) deploying Glances could experience unauthorized access to classified network segments and metadata endpoints. Energy sector organizations (ARAMCO, downstream operators) relying on Glances for SCADA/ICS monitoring face operational technology exposure. Telecom providers (STC, Mobily) using Glances for network monitoring could suffer credential leakage affecting customer data systems. Healthcare organizations (MOH-regulated) may experience HIPAA-equivalent data exfiltration through compromised monitoring infrastructure. Cloud-hosted deployments in Saudi Arabia are particularly vulnerable to AWS/Azure metadata endpoint attacks.
🏢 القطاعات السعودية المتأثرة
Banking & Financial Services (SAMA-regulated institutions)
Government & Public Administration (NCA oversight)
Energy & Utilities (ARAMCO, downstream operators, power generation)
Telecommunications (STC, Mobily, Zain)
Healthcare (MOH-regulated hospitals and clinics)
Cloud Service Providers (AWS, Azure, Google Cloud in Saudi Arabia)
Critical Infrastructure (water, transportation, communications)
Education & Research Institutions
Manufacturing & Industrial (ICS/SCADA monitoring)
🎯 تقنيات MITRE ATT&CK
T1190 - Exploit Public-Facing Application (Glances IP plugin)
T1021 - Remote Services (SSRF to internal services)
T1526 - Gather Victim Network Information (metadata endpoint reconnaissance)
T1040 - Network Sniffing (credential interception via Basic Auth)
T1557 - Man-in-the-Middle (credential leakage via unvalidated requests)
T1021.001 - Remote Services: Remote Terminal Service (internal service access)
T1087 - Account Discovery (credential enumeration via SSRF)
T1580 - Cloud Infrastructure Discovery (AWS/Azure metadata attacks)
T1552.007 - Unsecured Credentials: Container Environment Variables (credential exposure)
T1021.006 - Remote Services: Windows Remote Management (internal network access)
⚖️ درجة المخاطر السعودية (AI)
8.5
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all Glances installations across your infrastructure using asset discovery tools and configuration management databases
2. Restrict network access to Glances configuration files (typically /etc/glances/glances.conf or ~/.config/glances/glances.conf) to authorized administrators only
3. Disable or remove the IP plugin if not actively used: comment out or remove 'ip' from the [plugins] section in glances.conf
4. Review all Glances configuration files for public_api, public_username, and public_password parameters and document current settings
PATCHING GUIDANCE:
1. Upgrade Glances to version 4.5.4 or later immediately across all systems
2. For package managers: apt-get update && apt-get install glances (Debian/Ubuntu), yum update glances (RHEL/CentOS), brew upgrade glances (macOS)
3. For pip installations: pip install --upgrade glances>=4.5.4
4. Verify patch installation: glances --version should show 4.5.4 or higher
COMPENSATING CONTROLS (if immediate patching delayed):
1. Implement network segmentation: restrict Glances outbound connectivity to only required monitoring endpoints using firewall rules and egress filtering
2. Deploy Web Application Firewall (WAF) rules to block suspicious HTTP requests from Glances processes
3. Remove or null out public_api, public_username, and public_password configuration parameters
4. Implement process-level monitoring to detect unusual outbound connections from Glances processes
5. Use network monitoring to alert on unexpected HTTP/HTTPS traffic from Glances servers
DETECTION RULES:
1. Monitor for Glances processes initiating connections to non-whitelisted external IPs or internal metadata endpoints (169.254.169.254, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
2. Alert on HTTP requests from Glances containing 'Authorization: Basic' headers to unexpected destinations
3. Log and review all Glances configuration file modifications using file integrity monitoring (FIM)
4. Monitor for Glances error logs containing 'urlopen' or 'HTTP' errors indicating failed SSRF attempts
5. Implement YARA/SIGMA rules to detect exploitation attempts targeting Glances IP plugin endpoints
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع تثبيتات Glances عبر البنية التحتية الخاصة بك باستخدام أدوات اكتشاف الأصول وقواعد بيانات إدارة التكوين
2. تقييد الوصول إلى ملفات تكوين Glances (عادة /etc/glances/glances.conf أو ~/.config/glances/glances.conf) للمسؤولين المصرح لهم فقط
3. تعطيل أو إزالة مكون IP إذا لم يكن قيد الاستخدام النشط: قم بتعليق أو إزالة 'ip' من قسم [plugins] في glances.conf
4. مراجعة جميع ملفات تكوين Glances للمعاملات public_api و public_username و public_password وتوثيق الإعدادات الحالية
إرشادات التصحيح:
1. ترقية Glances إلى الإصدار 4.5.4 أو أحدث فورًا عبر جميع الأنظمة
2. لمديري الحزم: apt-get update && apt-get install glances (Debian/Ubuntu)، yum update glances (RHEL/CentOS)، brew upgrade glances (macOS)
3. لتثبيتات pip: pip install --upgrade glances>=4.5.4
4. التحقق من تثبيت التصحيح: يجب أن يعرض glances --version الإصدار 4.5.4 أو أحدث
الضوابط البديلة (إذا تأخر التصحيح الفوري):
1. تنفيذ تقسيم الشبكة: تقييد اتصال Glances الصادر إلى نقاط النهاية المراقبة المطلوبة فقط باستخدام قواعد جدار الحماية والتصفية الصادرة
2. نشر قواعد جدار تطبيقات الويب (WAF) لحظر طلبات HTTP المريبة من عمليات Glances
3. إزالة أو إلغاء معاملات public_api و public_username و public_password
4. تنفيذ المراقبة على مستوى العملية للكشف عن اتصالات صادرة غير عادية من خوادم Glances
5. استخدام مراقبة الشبكة للتنبيه على حركة HTTP/HTTPS غير المتوقعة من خوادم Glances
قواعد الكشف:
1. مراقبة عمليات Glances التي تبدأ اتصالات بعناوين IP خارجية غير مدرجة في القائمة البيضاء أو نقاط نهاية البيانات الوصفية الداخلية (169.254.169.254، 10.0.0.0/8، 172.16.0.0/12، 192.168.0.0/16)
2. التنبيه على طلبات HTTP من Glances تحتوي على رؤوس 'Authorization: Basic' إلى وجهات غير متوقعة
3. تسجيل ومراجعة جميع تعديلات ملفات تكوين Glances باستخدام مراقبة سلامة الملفات (FIM)
4. مراقبة سجلات أخطاء Glances التي تحتوي على أخطاء 'urlopen' أو 'HTTP' تشير إلى محاولات SSRF الفاشلة
5. تنفيذ قواعل YARA/SIGMA للكشف عن محاولات الاستغلال التي تستهدف نقاط نهاية مكون IP في Glances
📋 خريطة الامتثال التنظيمي
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies (configuration management and access control)
A.6.1.2 - Internal Organization (segregation of duties for infrastructure access)
A.7.1.1 - Access Control (restriction of access to configuration files)
A.8.1.1 - Cryptography (credential protection and transmission security)
A.8.2.1 - Key Management (protection of authentication credentials)
A.9.1.1 - Physical and Environmental Security (network segmentation)
A.10.1.1 - Communications Security (monitoring and logging of network traffic)
🔵 SAMA CSF
Governance & Risk Management - Configuration and change management controls
Information & Cybersecurity - Access control and credential management
Operational Resilience - Monitoring and detection of unauthorized access attempts
Third-Party Risk Management - Vulnerability management in monitoring tools
Incident Management - Detection and response to SSRF exploitation attempts
🟡 ISO 27001:2022
A.5.1.1 - Policies for information security (configuration security)
A.6.1.1 - Organization of information security (roles and responsibilities)
A.7.1.1 - Access control policy (principle of least privilege)
A.8.1.1 - Cryptographic controls (credential protection)
A.8.2.1 - Secret key management (authentication credential protection)
A.8.3.1 - Cryptographic key establishment and management
A.9.1.1 - Physical access control (network segmentation)
A.10.1.1 - Business continuity management (monitoring infrastructure resilience)
A.12.4.1 - Event logging (detection of SSRF attempts)
A.12.6.1 - Management of technical vulnerabilities (patch management)
🟣 PCI DSS v4.0.1
Requirement 1.1 - Firewall configuration standards (network segmentation)
Requirement 2.1 - Default security parameters (configuration hardening)
Requirement 6.2 - Security patches and updates (vulnerability remediation)
Requirement 8.1 - Access control (credential management)
Requirement 10.1 - Audit logging (detection of unauthorized access)
Requirement 10.2.1 - User access logging (monitoring configuration changes)
🔗 المراجع والمصادر 3
🔗
https://github.com/nicolargo/glances/commit/d6808be66728956477cc4b544bab1acd71ac65fb
security-advisories@github.com
Patch
🔗
https://github.com/nicolargo/glances/security/advisories/GHSA-g5pq-48mj-jvw8
security-advisories@github.com
Exploit
Mitigation
Vendor Advisory
🔗
https://github.com/nicolargo/glances/security/advisories/GHSA-g5pq-48mj-jvw8
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Mitigation
Vendor Advisory
📦 المنتجات المتأثرة 1 منتج
nicolargo:glances