Quill SSRF Vulnerability CVE-2024-XXXX (High)

Listen to this Post

How the CVE Works:

The vulnerability resides in Quill versions prior to v0.7.1, specifically in the function that fetches Apple notarization submission logs. When Quill communicates with Apple’s notarization service over HTTPS, it trusts the API response containing a URL for log retrieval. Under normal conditions with proper TLS certificate validation, this response cannot be tampered with. However, in environments where TLS inspection proxies are deployed, or where an attacker has compromised a Certificate Authority, the attacker can modify the API response. The flaw exists because Quill fails to validate two critical aspects of the URL provided in the response: it does not enforce the use of the HTTPS scheme, and it does not block URLs pointing to localhost, multicast addresses, or internal RFC 1918 IP ranges. By manipulating the response to point to an attacker-controlled server or an internal service (e.g., http://169.254.169.254/latest/meta-data/), the attacker can trick the Quill client into making arbitrary HTTP requests. This Server-Side Request Forgery (SSRF) can lead to the exfiltration of cloud provider credentials or the exposure of sensitive data from internal network services.

dailycve form:

Platform: Quill
Version: <0.7.1
Vulnerability :SSRF
Severity: High
date: 2024-09-30

Prediction: Patched in v0.7.1

What Undercode Say:

Analysis:

The core issue is a missing validation step in the log retrieval process. The code trusts external input (the URL from Apple) without sanitization. The attack surface is limited to environments where TLS can be intercepted, but the impact is critical for organizations using such proxies.

Exploit:

Scenario: Attacker controls a TLS-intercepting proxy on a corporate network.
1. Victim runs: quill notarize submission.log
2. Quill contacts Apple API: https://api.apple.com/notarization/...
3. Attacker intercepts the HTTPS response and modifies the JSON:
Original: {"log-url": "https://apple.com/logs/123"}
Modified: {"log-url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin"}
4. Quill fetches the malicious URL and dumps AWS credentials to the console/logs.

Protection from this CVE:

  1. Immediate Patching: Upgrade to Quill v0.7.1 or later.
  2. Input Validation: Implement strict validation on all URLs fetched from external APIs. Allow only HTTPS and maintain a blocklist of private IP ranges (e.g., 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.169.254/32).
  3. Network Segmentation: Restrict outbound traffic from build machines to only essential services.

Impact:

Exploitation allows attackers to steal cloud instance metadata credentials, scan internal networks, and access internal web services. This can lead to full cloud account compromise if IAM credentials are exposed.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top