Analysis Summary

ProjectDiscovery's Nuclei, a popular open-source vulnerability scanner, has been found to have a high-severity security weakness that, if successfully exploited, might enable attackers to get around signature checks and possibly run malicious code. It is being tracked as CVE-2024-43405, and its CVSS score is 7.4 out of 10.0. It affects all Nuclei versions after 3.0.0.

The vulnerability is caused by a difference in how multiple signatures are handled and how the YAML parser and the signature verification procedure treat newline characters. This enables a threat actor to insert malicious content into a template while keeping the template's benign portion's signature legitimate.

Nuclei is a vulnerability scanner made to look for security flaws in contemporary networks, cloud platforms, infrastructure, and apps. To detect the existence of a defect, the scanning engine sends specific requests using templates, which are just YAML files. Additionally, it can use the code protocol to allow external code to run on the host operating system, providing researchers greater control over security testing procedures.

According to the researchers who found CVE-2024-43405, the source of the vulnerability is the template signature verification procedure, which guarantees the integrity of the templates made available in the official templates repository. Bypassing this important verification step through successful vulnerability exploitation enables attackers to create malicious templates that can run arbitrary code and retrieve private information from the host.

This signature verification could be a single point of failure because it's the only way to validate Nuclei templates at the moment. The main source of the issue is the use of regular expressions, also known as regex, for signature validation. This leads to a parsing conflict when both regex and the YAML parser are used, which allows an attacker to introduce a "\r" character to circumvent the regex-based signature verification and have the YAML parser interpret it as a line break.

A Nuclei template that uses "\r" to incorporate a second "# digest:" line that avoids the signature verification procedure but is parsed and executed by the YAML interpreter might be created by chaining these parsing discrepancies. The YAML parser understands \\r as a line break, but Go's regex-based signature verification treats it as a part of the same line. Because of this discrepancy, attackers can insert content that the YAML parser executes but avoids verification.

Only the initial # digest: line is validated by the verification logic. Extra # digest: lines are left in the text for YAML to read and execute, but they are ignored during verification. Additionally, a stage in the verification process removes the signature line from the template content, but it does so in a way that only the first line is checked, leaving the other lines executable but unverified. Version 3.3.2 of ProjectDiscovery was released on September 4, 2024, in response to responsible disclosure. Nuclei is currently at version 3.3.7.

To get around Nuclei's signature verification, attackers might create malicious templates with well-positioned line breaks or modified # digest lines. When businesses use untrusted or community-contributed templates without enough validation or isolation, they create an attack vector for this vulnerability. An attacker might use this feature to insert malicious templates, resulting in arbitrary command execution, data exfiltration, or system compromise.

Impact

• Code Execution
• Security Bypass
• Sensitive Data Theft
• Data Exfiltration

Remediation

• Upgrade to the latest version of Nuclei, available from the Nuclei GIT Repository.
• Organizations must test their assets for the vulnerability mentioned above and apply the available security patch or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations must stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.