Glances is a widely used open-source cross-platform system monitoring tool that supports a Central Browser mode to discover and monitor dynamic servers via Zeroconf (mDNS) service advertisements. Prior to version 4.5.2, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers. However, when building connection URIs and retrieving stored passwords, it uses the untrusted advertised server name instead of the verified IP address. This origin validation error (CWE-346) combined with improper credential storage and usage (CWE-522) enables an attacker on the same local network to advertise a fake Glances service. Because the client trusts the advertised name, it sends stored reusable authentication secrets, including the global default password, to the attacker-controlled host automatically, without requiring user interaction or prior authentication. This affects both the background polling mechanism and the REST/WebUI click-through access path in Central Browser mode. The vulnerability has a CVSS 3.1 base score of 8.1 (high severity), reflecting high confidentiality and integrity impact, low attack complexity, no privileges required, and no user interaction needed. Although no known exploits are currently reported in the wild, the flaw poses a significant risk in local network environments where attackers can perform Zeroconf spoofing. The issue was addressed in Glances version 4.5.2 by ensuring connection URIs and credential lookups use the discovered IP address rather than the untrusted advertised name, thereby preventing credential leakage to rogue services.

This vulnerability allows an attacker on the same local network to impersonate legitimate Glances servers by advertising fake Zeroconf services. As a result, the Glances Central Browser client may send stored authentication secrets, including reusable passwords, to the attacker-controlled host. This leads to a complete compromise of confidentiality and integrity of monitored system data and potentially unauthorized control over monitored systems. Since the attack requires local network access, it primarily threatens organizations with flat or poorly segmented internal networks, such as enterprises, data centers, and managed service providers. The vulnerability affects both automated background polling and interactive user sessions, increasing the attack surface. While availability is not directly impacted, the attacker could leverage stolen credentials for further lateral movement or data exfiltration. The lack of required privileges or user interaction makes exploitation relatively easy for local attackers. Organizations relying on Glances for system monitoring without proper network segmentation or updated versions risk exposure of sensitive operational data and credentials to malicious insiders or compromised devices.

1. Upgrade all Glances installations to version 4.5.2 or later immediately to apply the official fix that enforces use of verified IP addresses for connection URIs and credential lookups. 2. Restrict Zeroconf/mDNS traffic on local networks using VLAN segmentation, firewall rules, or network access controls to limit exposure to rogue advertisements. 3. Monitor network traffic for unexpected or suspicious Zeroconf service advertisements that do not correspond to authorized Glances servers. 4. Avoid storing reusable global default passwords in Glances configurations; use unique, per-server credentials where possible. 5. Implement network-level authentication and encryption (e.g., VPNs, TLS) for Glances communications to reduce reliance on Zeroconf discovery and mitigate credential interception risks. 6. Educate system administrators about the risks of trusting unverified service advertisements and the importance of applying security patches promptly. 7. Consider disabling Central Browser mode if not required or restricting its use to trusted network segments only.