Threat Actor: Unknown | unknown
Victim: Nuclei Users | Nuclei Users
Key Point :
- The vulnerability allows attackers to bypass the scanner’s template signature verification process.
- It exploits mismatched interpretations of newline characters between the YAML parser and regex-based signature verification.
- Organizations are advised to upgrade to version 3.3.2 and run the scanner in isolated environments to mitigate risks.
A security defect in the Nuclei vulnerability scanner could have allowed threat actors to execute arbitrary code using custom code templates.
Relying on simple YAML-based templates, Nuclei is a highly popular vulnerability scanner that can be used with a broad range of assets and which has more than 21,000 stars on GitHub and over 2.1 million downloads.
Tracked as CVE-2024-43405 (CVSS score of 7.8) and affecting Nuclei versions between 3.0.0 and 3.3.1, the code execution issue was identified in the template signature verification process.
“The vulnerability stems from a discrepancy between how the signature verification process and the YAML parser handle newline characters, combined with the way multiple signatures are processed. This allows an attacker to inject malicious content into a template while maintaining a valid signature for the benign part of the template,” a NIST advisory reads.
Allowing attackers to bypass the scanner’s template signature verification process, the bug was resolved in Nuclei version 3.3.2, which was released in September 2024.
In a Friday post detailing the flaw, cybersecurity firm Wiz explains that CVE-2024-43405 is the result of a few weaknesses in the verification process that can be chained together.
The process only checks the first line that starts with ‘# digest:’ in a template, removing all such lines from the hashed content, and the YAML parser may consider a line to have ended, while the regex-based parser, which removes only lines that start with #, may not, as the two have different interpretations of line breaks, Wiz explains.
Because of these mismatched newline interpretations, where specific content would bypass the regex-based signature verification while being interpreted as separate lines by the YAML parser, an attacker could supply a template that would be parsed and executed by the YAML interpreter.
“By chaining these weaknesses, an attacker can inject unverified, executable content into Nuclei templates—exploiting the identified weaknesses to create a practical vulnerability,” Wiz notes.
The flaw, the cybersecurity firm says, could lead to code execution when an organization runs an untrusted or community-contributed template without properly validating or isolating it.
Furthermore, attackers could exploit the bug against automated scanning platforms that allow users to modify or upload Nuclei templates, by supplying a malicious template to execute arbitrary code, exfiltrate data, or compromise the system.
Organizations are advised to upgrade to Nuclei version 3.3.2 or newer, as well as to always run the vulnerability scanner in a sandboxed or isolated environment, to mitigate the risk of executing untrusted templates.
Related: Exploit Code Published for Potentially Dangerous Windows LDAP Vulnerability
Related: Four-Faith Industrial Router Vulnerability Exploited in Attacks
Related: Wormable, Zero-Click Vulnerability in Microsoft Teams
Related: Sophos Patches Critical Firewall Vulnerabilities
Source:
https://www.securityweek.com/code-execution-flaw-found-in-nuclei-vulnerability-scanner/