A extremely important safety flaw has been disclosed in Venture Discovery’s Nuclei, a extensively used open-source vulnerability scanner that, if efficiently exploited, might enable attackers to bypass signature checks and probably execute malicious code. might enable the execution of
Tracked as CVE-2024-43405, it carries a CVSS rating of seven.4 out of a most of 10.0. It impacts all variations of Nuclei after 3.0.0.
In line with an outline of the vulnerability, “the vulnerability is attributable to an inconsistency between the signature validation course of and the way YAML parsers deal with newline characters, when a number of signatures are processed collectively.”
“This enables an attacker to insert malicious content material into the template whereas sustaining a sound signature for the benign a part of the template.”
Nuclei is a vulnerability scanner designed to look at fashionable functions, infrastructure, cloud platforms, and networks to determine safety flaws. The scanning engine makes use of templates, that are nothing however YAML recordsdata, to ship particular requests to find out the presence of an error.
Moreover, it allows the execution of exterior code on the host working system utilizing the code protocol, thus giving researchers extra flexibility on safety testing workflows.
Cloud safety agency Wiz, which found CVE-2024-43405, mentioned the vulnerability is rooted within the template signature verification course of used to make sure the integrity of templates out there within the official template repository. is
Profitable exploitation of the vulnerability bypasses this important authentication step, permitting attackers to create malicious templates that may execute arbitrary code and acquire entry to delicate knowledge from the host.
“Since this signature verification is at the moment the one technique out there for validating nuclei templates, it represents a possible single level of failure,” Wiz researcher Man Goldenberg mentioned in an evaluation Friday.
At its core, the issue stems from using common expressions (aka regex) for signature validation and the decision battle that outcomes from utilizing each the regex and the YAML parser, thus making a This opens the door to a state of affairs the place an attacker injects a “r” character in such a means that it bypasses regex-based signature verification and is handled as a line break by the YAML parser.
In different phrases, these parse conflicts could be chained collectively to create a kernel template that makes use of “r” so as to add a second “#digest:” line that escapes the signature verification course of. However YAML is parsed and executed by the interpreter.
“Go’s regex-based signature validation treats r as a part of the identical line, whereas the YAML parser interprets it as a line break. This mismatch permits attackers to inject content material that bypasses validation however is executed by the YAML parser,” defined Goldenberg. .
“The validation logic solely validates the primary # digest: line. Extra # digest: traces are ignored throughout validation however stay within the content material for parsing and execution by YAML.”
Moreover, the verification course of features a step to exclude the signature line from the template content material, however does so in such a means that solely the primary line is verified, leaving subsequent traces unverified however legitimate. .
After accountable disclosure, it was addressed by Venture Discovery on September 4, 2024 with model 3.3.2. The present model of Nuclei is 3.3.7.
“Attackers can craft malicious templates containing # digest traces or cautious r line breaks to bypass signature verification of nuclei,” Goldenberg mentioned.
“An assault vector for this vulnerability arises when organizations run untrusted or community-created templates with out correct validation or isolation. An attacker might exploit this performance to create malicious templates. might inject, leading to arbitrary command execution, knowledge exfiltration, or system compromise.”
