Researchers found a signature verification bypass vulnerability within the Nuclei vulnerability scanner. Exploiting the flaw may enable an adversary to execute malicious code on the goal setting.
A Nuclei Vulnerability Allowed Malicious Code Injection
The analysis workforce at Wiz found a severe vulnerability within the safety software Nuclei that would enable malicious code injection.
Nuclei is an open-source safety software from ProjectDiscovery, fashionable amongst varied organizations for vulnerability scanning. It makes use of YAML-based templates to detect and tackle vulnerabilities, making it an efficient software for figuring out actual vulnerabilities. It at present boasts over 2.1 million downloads on its GitHub web page.
As defined of their put up, the vulnerability was a signature verification bypass, which may let an adversary embody malicious codes within the goal templates.
Nuclei’s signature verification entails 4 steps: 1) Extracting the signature utilizing regex to seek out the # digest: line, 2) excluding the signature from the template, 3) hashing the remaining content material after signature extraction, and 4) validating the hash with the extracted signature. After these steps, the verified signature is parsed as YAML utilizing Go’s gopkg.in/yaml.v2 library.
The vulnerability existed because of the simultaneous use of regex and YAML for signature parsing and the following battle. As said,
“The regex-based signature parser makes use of the sample
(?m)^#sdigest:s.+$to determine traces beginning with# digest:. In the meantime, the YAML parser treats# digest:as a remark, ignoring it throughout execution. This creates a mismatch: the signature verification logic operates primarily based on regex guidelines, whereas the execution logic depends on YAML parsing.
This battle allowed an adversary to cover malicious codes throughout the templates which will go unnoticed in the course of the verification and get parsed by YAML. This could possibly be carried out by including malicious content material with a r that may stay unnoticed by regex however could possibly be parsed by YAML.
This vulnerability, CVE-2024-43405, has acquired a excessive severity score with a CVSS rating 7.8.
Following the researcher’s report, the builders patched the vulnerability with Nuclei 3.3.2. Therefore, customers ought to guarantee they’re working this or the later variations on their gadgets to obtain the repair. Moreover, the place a right away repair isn’t doable, the researchers suggested utilizing Nuclei in remoted or sandboxed environments.
Tell us your ideas within the feedback.