A now-fixed vulnerability within the open-source vulnerability scanner Nuclei may doubtlessly permit attackers to bypass signature verification whereas sneaking malicious code into templates that execute on native techniques.
Nuclei is a well-liked open-source vulnerability scanner created by ProjectDiscovery that scans web sites for vulnerabilities and different weaknesses.
The undertaking makes use of a template-based scanning system of over 10,000 YAML templates that scan web sites for recognized vulnerabilities, misconfigurations, uncovered configuration information, webshells, and backdoors.
The YAML templates additionally embrace a code protocol that can be utilized to execute instructions or scripts regionally on a tool that extends the performance of a template.
Every template is “signed” with a digest hash that Nuclei makes use of to confirm that the template has not been modified to incorporate malicious code.
This digest hash is added to the underside of templates within the type of:
# digest: <hash>
Flaw bypasses Nuclei signature verification
A brand new Nuclei vulnerability tracked as CVE-2024-43405Â was found by researchers at Wiz that bypasses Nuclei’s signature verification even when a template is modified to incorporate malicious code.
The flaw is attributable to a Go regex-based signature verification and the way the YAML parser handles line breaks when verifying the signature.
When verifying a signature, Go’s verification logic treats r as a part of the identical line. Nonetheless, the YAML parser interprets it as a line break. This mismatch permits attackers to inject malicious content material that bypasses verification however remains to be executed when processed by the YAML parser.
One other problem is how Nuclei handles a number of # digest: signature strains, as the method solely checks the primary prevalence of # digest: in a template, ignoring any extra ones discovered later within the template.
This may be exploited by including extra malicious “# digest:” payloads after the preliminary legitimate digest that include a malicious “code” part, which is then injected and executed when the template is used.
“Armed with the insights about mismatched newline interpretations, we crafted a template that exploits the disparity between Go’s regex implementation and the YAML parser,” explains Wiz researcher Man Goldenberg.
“By using r as a line break, we can include a second # digest: line in the template that evades the signature verification process but gets parsed and executed by the YAML interpreter.”
Supply: Wiz
Wiz responsibly disclosed the flaw to ProjectDiscovery on August 14, 2024, and it was mounted in Nuclei v3.3.2 on September 4.
In case you are utilizing older variations of Nuclei, it’s strongly suggested that you just replace the newest model now that the technical particulars for this bug have been publicly disclosed.
Goldenberg additionally recommends that Nuclei be utilized in a digital machine or remoted setting to forestall potential exploitation from malicious templates.
