HQ/EMEAFind out how we can help your business
The recently patched Nuclei flaw is an open-source vulnerability scanner that could allow threat actors to bypass signature verification.
Moreover, this bug can also enable hackers to inject malicious code into templates that operate on local systems. The affected entity is a well-known open-source vulnerability scanner that could search web pages for vulnerabilities and other weaknesses. The software is also a template-based scanning system with over 10,000 YAML templates to scan websites for known flaws, exposed configuration files, webshells, misconfigurations, and backdoors.
The YAML templates have a code protocol that enables a user to run commands or scripts locally on a device, extending the capabilities of a template. Each template is “signed” with a digest hash, which Nuclei utilises to ensure that it has not been updated to contain harmful code.
The Nuclei flaw bypasses its signature verification.
According to investigations, researchers track the new Nuclei flaw as CVE-2024-43405. This flaw avoids the Nuclei’s signature verification even when a template is updated to inject malicious code.
The researchers explained that the flaw is triggered by a Go regex-based signature verification method and how the YAML parser conducts line breaks while verifying the signature.
When verifying a signature, Go’s verification logic considers \r as part of the same line. On the other hand, the YAML parser perceives the action as a line break. This mismatch allows threat actors to inject malicious payloads that avoid verification but are executed even when processed by the YAML parser.
Another issue is how Nuclei handles multiple # digest: signature lines. The algorithm only looks for the first occurrence of # digest in a template, ignoring any follow-ups.
Threat actors can exploit this process by including several malicious “# digest:” payloads after the initial legitimate digest, each containing a malicious “code” section that is subsequently attached and executed when the template is used.
The researchers who discovered the critical flaw notified the vendor about it in August last year after it was identified. The vendor also addressed the vulnerability by deploying Nuclei v3.3.2 on September 4.
Experts recommend that admins adopt the new version of the project to avoid unwanted exploitation of the newly fixed vulnerability.
