Recently, a serious vulnerability was discovered in Nuclei, a tool developed by ProjectdiscoVare for finding vulnerabilities. This vulnerability, identified as CVE-2024-43405, allows attackers to bypass signature checks and execute malicious code. On the CVSS scale, this vulnerability has been rated 7.4 out of 10. It impacts all versions of Nuclei from 3.0.0 onwards.
The vulnerability stems from a discrepancy in how the signature check and YAML Parser process newline characters, providing attackers with the ability to insert malicious code into templates while maintaining a legitimate signature for a safe section.
Nuclei is commonly used to scan applications, cloud infrastructure, and networks for vulnerabilities using YAML-based templates. The flaw affects the verification process of templates stored in the official repository, enabling the introduction of malware with the circumvention of audits.
Researchers from Wiz discovered that attackers can exploit the inconsistency in processing newline symbols between regular expressions and the Yaml Parser. Specifically, the “r” symbol can be utilized to bypass the signature and execute code via the Yaml Parser.
The vulnerability allows attackers to craft a template with multiple lines containing the signature “#digest:”, where only the first line is checked while the subsequent lines are ignored during verification but executed by the parser. Moreover, the exclusion of the signature line is not properly conducted, leaving room for unverified data execution.
ProjectdiscoVare addressed this vulnerability on September 4, 2024, with the release of version 3.3.2. The most recent version of Nuclei, 3.3.7, includes the fix for this vulnerability. It is strongly advised for users to update their Nuclei installation to the latest version.
Researchers highlight that the vulnerability is particularly concerning for organizations that utilize publicly available or unauthenticated templates without undergoing proper security audits. This practice creates a potential entry point for attackers, posing risks such as the execution of arbitrary code, data theft, or compromise of systems.