A significant security vulnerability (CVE-2024-43405) was recently discovered in Nuclei, a popular open-source vulnerability scanner developed by ProjectDiscovery. The flaw, which has since been patched, could have allowed attackers to bypass signature verification and inject malicious code into scanning templates.
The Vulnerability Explained
The security issue stemmed from a mismatch between Go’s regex-based signature verification and YAML parser handling of line breaks. While Go’s verification logic treated \r as part of the same line, the YAML parser interpreted it as a line break. Additionally, Nuclei only verified the first occurrence of a digest signature, ignoring subsequent entries in templates.
Technical Impact
– Attackers could inject malicious content that bypassed verification
– Multiple digest signatures could be exploited to execute unauthorized code
– Affected templates could run harmful commands on local systems
Security Researcher Guy Goldenberg from Wiz, who discovered the vulnerability, demonstrated how the disparity between parsers could be exploited to execute unauthorized code while maintaining a valid signature appearance.
Resolution and Recommendations
– The vulnerability was fixed in Nuclei v3.3.2 released on September 4
– Users of older versions should update immediately
– It’s recommended to run Nuclei in isolated environments or virtual machines
– The issue was responsibly disclosed to ProjectDiscovery on August 14, 2024
This security update highlights the importance of proper signature verification mechanisms and the potential risks in template-based scanning systems.