An engineering team from Wiz has discovered a critical vulnerability in Nuclei, a popular open-source security tool developed by ProjectDiscovery.
The vulnerability, assigned as CVE-2024-43405, enables malicious actors to bypass the tool’s signature verification process, potentially enabling arbitrary code execution.
This discovery has raised the alarm within the cybersecurity community, particularly among entities that rely on Nuclei for automated vulnerability scanning.
Nuclei’s Role in Security Operations
The tool is widely used for its YAML-based templates. According to Wiz, these templates “define the logic for detecting vulnerabilities, misconfigurations, and other security issues across various protocols and technologies.”
One feature that sets Nuclei apart is its code protocol, which facilitates the execution of external code on host systems. Unfortunately, while this capability improves Nuclei templates flexibility, this flexibility becomes the enemy as means they can be crafted for legitimate or malicious purposes.
Guy Goldenberg, a senior software engineer at Wiz, said: “Nuclei, with over 21,000 stars on GitHub and an impressive 2.1 million downloads, has become a cornerstone in many organizations’ security stacks, including our own at Wiz. Its popularity stems from its flexibility and efficiency in detecting vulnerabilities across various digital assets. This widespread adoption underscores the critical role Nuclei plays in the security community, making it essential to proactively identify and address any potential vulnerabilities to maintain its integrity and trustworthiness.”
Signature Verification
According to the researchers, to address these risks, ProjectDiscovery put a signature verification mechanism in place. “All Nuclei engines trust ProjectDiscovery, and templates in their official templates repository are automatically signed to ensure their integrity and origin. This signature is embedded in the # digest: <signature> comment at the end of each template, serving as a cryptographic guarantee of authenticity.”
Because this signature verification is presently the sole method available for validating Nuclei templates, it is also a potential single point of failure. This is what prompted Wiz to scrutinize its robustness and integrity.
Signature Bypass
Nuclei’s signature mechanism uses ASN.1 encoding with ECDSA on the P-256 curve and SHA-256. This approach is widely viewed as a secure standard, used because it can produce compact and efficient digital signatures.
The verification process for Nuclei templates is structured into four essential steps. First, the signature is extracted by identifying the # digest: line using a regex pattern. Next, the signature line is removed from the template content to ensure accurate verification. Then, the hash is computed based on the content, excluding the signature line.
Finally, the extracted signature is validated by comparing it against the computed hash to confirm its authenticity.
Once the template successfully passes verification, it is parsed as YAML using Go’s gopkg.in/yaml.v2 library and is ready for execution.
Compromising Entire Systems, Networks
Goldenberg said that an attack vector for this vulnerability crops up when entities run untrusted or community-contributed templates without the correct validation or isolation.
Moreover, services that enable users to modify or upload Nuclei templates, such as automated scanning platforms or shared security pipelines, are especially susceptible.
A malicious actor could exploit this functionality to inject malicious templates, leading to arbitrary command execution, data exfiltration, or system compromise.
The severity of this issue stresses the critical need for a defense-in-depth approach, including running tools of this nature in isolated, sandboxed environments and strictly validating template sources.
“Through collaboration with the security community, we continue to advance security research and ensure the tools we rely on remain safe and trustworthy,” he said
Mitigating the Threat
To address this vulnerability, ProjectDiscovery has released a patch in Nuclei version 3.3.2. All users are strongly encouraged to upgrade to this version or later to protect their systems against possible exploits.
Moreover, Wiz’s team recommends several best practices to limit risk:
Avoid Unverified Templates: Only execute templates that come from trusted sources to limit exposure to malware.
Implement Isolation Measures: Operate Nuclei in a highly secured and isolated environment (such as a sandbox) to lessen the impact of any potential breach.
Regular Updates: Stay up-to-date with the latest versions of Nuclei (and all other software) to benefit from ongoing security patches and enhancements.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.