A high-severity safety flaw has been disclosed in ProjectDiscovery’s Nuclei, a widely-used open-source vulnerability scanner that, if effectively exploited, may permit attackers to circumvent signature tests and doubtlessly execute malicious code.
Tracked as CVE-2024-43405, it carries a CVSS rating of seven.4 out of a most of 10.0. It affects all variations of Nuclei later than 3.0.0.
“The vulnerability stems from a discrepancy between how the signature verification procedure and the YAML parser take care of newline characters, blended with the best way more than one signatures are processed,” in step with an outline of the vulnerability.
“This permits an attacker to inject malicious content material right into a template whilst keeping up a sound signature for the benign a part of the template.”
Nuclei is a vulnerability scanner designed to probe fashionable programs, infrastructure, cloud platforms, and networks to spot safety flaws. The scanning engine uses templates, that are not anything however YAML recordsdata, to ship explicit requests with a purpose to decide the presence of a flaw.
Moreover, it will probably allow the execution of exterior code at the host running device the usage of the code protocol, thereby giving researchers extra flexibility over safety checking out workflows.
Cloud safety company Wiz, which came upon CVE-2024-43405, mentioned the vulnerability is rooted within the template signature verification procedure, which is used to verify the integrity of the templates made to be had within the respectable templates repository.
A success exploitation of the vulnerability is a bypass of this a very powerful verification step, permitting attackers to craft malicious templates that may execute arbitrary code and get right of entry to delicate knowledge from the host.
“Since this signature verification is these days the one way to be had for validating Nuclei templates, it represents a possible unmarried level of failure,” Wiz researcher Man Goldenberg mentioned in a Friday research.
At its core, the issue stems from using common expressions (aka regex) for signature validation and the parsing warfare coming up on account of the usage of each regex and YAML parser, thus opening the door to a state of affairs the place an attacker can introduce a “r” persona such that it sidesteps the regex-based signature verification and will get interpreted as a line ruin via the YAML parser.
Put in a different way, those parsing inconsistencies may well be chained to create a Nuclei template that makes use of “r” to incorporate a 2d “# digest:” line that evades the signature verification procedure however will get parsed and carried out via the YAML interpreter.
“Move’s regex-based signature verification treats r as a part of the similar line, whilst the YAML parser translates it as a line ruin. This mismatch lets in attackers to inject content material that bypasses verification however is carried out via the YAML parser,” Goldenberg defined.
“The verification good judgment validates simplest the primary # digest: line. Further # digest: strains are neglected all the way through verification however stay within the content material to be parsed and carried out via YAML.”
Moreover, the verification procedure features a step to exclude the signature line from the template content material, however does so in a way that simplest the primary line is validated, thus leaving the next strains unverified however executable.
Following accountable disclosure, it was once addressed via ProjectDiscovery on September 4, 2024, with model 3.3.2. The present model of Nuclei is 3.3.7.
“Attackers may craft malicious templates containing manipulated # digest strains or in moderation positioned r line breaks to circumvent Nuclei’s signature verification,” Goldenberg mentioned.
“An assault vector for this vulnerability arises when organizations run untrusted or community-contributed templates with out correct validation or isolation. An attacker may exploit this capability to inject malicious templates, resulting in arbitrary command execution, knowledge exfiltration, or device compromise.”