Researchers found a signature verification bypass vulnerability within the Nuclei vulnerability scanner. Exploiting the flaw may permit an adversary to execute malicious code on the goal surroundings.
A Nuclei Vulnerability Allowed Malicious Code Injection
The analysis crew at Wiz found a critical vulnerability within the safety instrument Nuclei that would permit malicious code injection.
Nuclei is an open-source safety instrument from ProjectDiscovery, in style amongst varied organizations for vulnerability scanning. It makes use of YAML-based templates to detect and handle vulnerabilities, making it an efficient instrument for figuring out actual vulnerabilities. It at present boasts over 2.1 million downloads on its GitHub web page.
As defined of their post, the vulnerability was a signature verification bypass, which may let an adversary embody malicious codes within the goal templates.
Nuclei’s signature verification entails 4 steps: 1) Extracting the signature utilizing regex to seek out the # digest: line, 2) excluding the signature from the template, 3) hashing the remaining content material after signature extraction, and 4) validating the hash with the extracted signature. After these steps, the verified signature is parsed as YAML utilizing Go’s gopkg.in/yaml.v2 library.
The vulnerability existed because of the simultaneous use of regex and YAML for signature parsing and the next battle. As acknowledged,
“The regex-based signature parser makes use of the sample
(?m)^#sdigest:s.+$to establish traces beginning with# digest:. In the meantime, the YAML parser treats# digest:as a remark, ignoring it throughout execution. This creates a mismatch: the signature verification logic operates primarily based on regex guidelines, whereas the execution logic depends on YAML parsing.
This battle allowed an adversary to cover malicious codes inside the templates which will go unnoticed through the verification and get parsed by YAML. This might be achieved by including malicious content material with a r that will stay unnoticed by regex however might be parsed by YAML.
This vulnerability, CVE-2024-43405, has acquired a excessive severity ranking with a CVSS rating 7.8.
Following the researcher’s report, the builders patched the vulnerability with Nuclei 3.3.2. Therefore, customers ought to guarantee they’re operating this or the later variations on their gadgets to obtain the repair. Moreover, the place a right away repair isn’t doable, the researchers suggested utilizing Nuclei in remoted or sandboxed environments.
Tell us your ideas within the feedback.
