Researchers found a signature verification bypass vulnerability within the Nuclei vulnerability scanner. Exploiting the flaw might permit an adversary to execute malicious code on the goal setting.
A Nuclei Vulnerability Allowed Malicious Code Injection
The analysis group at Wiz found a severe vulnerability within the safety device Nuclei that might permit malicious code injection.
Nuclei is an open-source safety device from ProjectDiscovery, in style amongst numerous organizations for vulnerability scanning. It makes use of YAML-based templates to detect and deal with vulnerabilities, making it an efficient device for figuring out actual vulnerabilities. It at the moment boasts over 2.1 million downloads on its GitHub web page.
As defined of their submit, the vulnerability was a signature verification bypass, which might let an adversary embrace malicious codes within the goal templates.
Nuclei’s signature verification entails 4 steps: 1) Extracting the signature utilizing regex to seek out the # digest: line, 2) excluding the signature from the template, 3) hashing the remaining content material after signature extraction, and 4) validating the hash with the extracted signature. After these steps, the verified signature is parsed as YAML utilizing Go’s gopkg.in/yaml.v2 library.
The vulnerability existed as a result of simultaneous use of regex and YAML for signature parsing and the next battle. As said,
“The regex-based signature parser makes use of the sampleÂ
(?m)^#sdigest:s.+$Â to establish strains beginning withÂ# digest:. In the meantime, the YAML parser treatsÂ# digest:Â as a remark, ignoring it throughout execution. This creates a mismatch: the signature verification logic operates primarily based on regex guidelines, whereas the execution logic depends on YAML parsing.
This battle allowed an adversary to cover malicious codes inside the templates which will go unnoticed in the course of the verification and get parsed by YAML. This may very well be executed by including malicious content material with a r that may stay unnoticed by regex however may very well be parsed by YAML.
This vulnerability, CVE-2024-43405, has acquired a excessive severity score with a CVSS rating 7.8.
Following the researcher’s report, the builders patched the vulnerability with Nuclei 3.3.2. Therefore, customers ought to guarantee they’re working this or the later variations on their gadgets to obtain the repair. Moreover, the place a direct repair isn’t attainable, the researchers suggested utilizing Nuclei in remoted or sandboxed environments.
Tell us your ideas within the feedback.
