Security researchers have recently uncovered a critical vulnerability in the Nuclei vulnerability scanner that could be exploited by malicious actors to execute harmful code on targeted systems.
Security Flaw in Nuclei Enables Malicious Code Injection
The team at Wiz, a cybersecurity research firm, identified a significant security flaw in Nuclei, an open-source security tool developed by ProjectDiscovery. This flaw could potentially allow threat actors to inject malicious code.
Nuclei is widely used by organizations for conducting vulnerability scans using YAML-based templates. With over 2.1 million downloads on GitHub, it has become a popular tool for identifying and addressing security vulnerabilities.
According to a detailed report by Wiz, the vulnerability in Nuclei involved a bypass in signature verification, enabling attackers to insert malicious code into the target templates.
The signature verification process in Nuclei includes several steps such as extracting the signature using regex, excluding the signature from the template, hashing the remaining content, and validating the hash with the extracted signature. The verified signature is then parsed as YAML using the gopkg.in/yaml.v2 library in Go.
The vulnerability stemmed from the conflict between regex and YAML parsing during signature verification. This conflict allowed adversaries to conceal malicious code within templates, leveraging a \\r to evade detection by regex but still be parsed by YAML.
The security flaw, identified as CVE-2024-43405, has been assigned a high severity rating with a CVSS score of 7.8.
Following the disclosure by researchers, the developers promptly released a patch in Nuclei version 3.3.2 to address the vulnerability. Users are advised to update to this version or newer to safeguard against potential exploits. In cases where immediate updates are not feasible, it is recommended to use Nuclei in isolated or sandboxed environments.
We encourage you to share your thoughts and insights in the comments section below.
