Ethical Hacking News
Researchers at Wiz have discovered a new vulnerability in Nuclei, allowing malicious templates to bypass signature verification and potentially execute malicious code on local systems. The fix has been released, but users are advised to update now to ensure their security.
Nuclei vulnerability allows attackers to bypass signature verification and inject malicious code into templates that execute on local systems. The vulnerability is caused by a mismatch between Go regex-based signature verification and the YAML parser's interpretation of line breaks. Wiz researchers discovered the flaw, CVE-2024-43405, which can be exploited by adding malicious "digest:" payloads after an initial valid digest in templates. Nuclei v3.3.2 has been released with a fix for this vulnerability, and patches are available for all affected versions. Users are strongly advised to update to the latest version of Nuclei and use it in a virtual machine or isolated environment to prevent exploitation.
A recent vulnerability discovered in the popular open-source vulnerability scanner Nuclei has been revealed, allowing attackers to bypass signature verification while sneaking malicious code into templates that execute on local systems.
Nuclei, created by ProjectDiscovery, is a widely used tool for scanning websites for vulnerabilities and other weaknesses. The project's template-based scanning system utilizes over 10,000 YAML templates to identify known vulnerabilities, misconfigurations, exposed configuration files, webshells, and backdoors.
Each template is "signed" with a digest hash that Nuclei uses to verify that the template has not been modified to include malicious code. This digest hash is added to the bottom of templates in the form of #digest: , allowing users to easily identify legitimate templates.
However, researchers at Wiz have discovered a new vulnerability tracked as CVE-2024-43405 that bypasses Nuclei's signature verification even if a template is modified to include malicious code. The flaw is caused by a mismatch between Go regex-based signature verification and the YAML parser's interpretation of line breaks.
When verifying a signature, Go's implementation treats \r as part of the same line. However, the YAML parser interprets it as a line break. This discrepancy allows attackers to inject malicious content that bypasses verification but is still executed when processed by the YAML parser.
Another issue arises from how Nuclei handles multiple #digest: signature lines in templates. The process only checks the first occurrence of #digest: in a template, ignoring any additional ones found later in the template. This can be exploited by adding malicious "#digest:" payloads after the initial valid digest that contain a "code" section, which is then injected and executed when the template is used.
Wiz researcher Guy Goldenberg explains that they crafted a template that exploits this disparity between Go's regex implementation and the YAML parser. By using \r as a line break, they can include a second #digest: line in the template that evades signature verification but gets parsed and executed by the YAML interpreter.
Wiz responsibly disclosed the flaw to ProjectDiscovery on August 14, 2024, and it was fixed in Nuclei v3.3.2 on September 4. The project has released patches for all versions of Nuclei that are affected by this vulnerability. Users are strongly advised to update to the latest version now that the technical details for this bug have been publicly disclosed.
Goldenberg also recommends using Nuclei in a virtual machine or isolated environment to prevent potential exploitation from malicious templates. This will help protect users against the possibility of falling victim to this newly discovered vulnerability.
The discovery highlights the importance of staying up-to-date with security patches and following best practices for template verification. As vulnerabilities continue to arise, it's crucial that organizations prioritize their cybersecurity and take proactive steps to protect themselves from potential threats.
Researchers at Wiz have discovered a new vulnerability in Nuclei, allowing malicious templates to bypass signature verification and potentially execute malicious code on local systems. The fix has been released, but users are advised to update now to ensure their security.
Related Information:
https://www.bleepingcomputer.com/news/security/nuclei-flaw-lets-malicious-templates-bypass-signature-verification/
https://nvd.nist.gov/vuln/detail/CVE-2024-43405
https://www.cvedetails.com/cve/CVE-2024-43405/
Published: Sat Jan 4 22:03:46 2025 by llama3.2 3B Q4_K_M
