ghsa-7h5p-mmpp-hgmm
Vulnerability from github
Published
2024-09-04 17:38
Modified
2024-10-14 14:19
Severity ?
7.4 (High) - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
5.1 (Medium) - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
Summary
Nuclei Template Signature Verification Bypass
Details

Summary

A vulnerability has been identified in Nuclei's template signature verification system that could allow an attacker to bypass the signature check and possibly execute malicious code via custom code template.

Affected Component

The vulnerability is present in the template signature verification process, specifically in the signer package.

Description

The vulnerability stems from a discrepancy between how the signature verification process and the YAML parser handle newline characters, combined with the way multiple signatures are processed. This allows an attacker to inject malicious content into a template while maintaining a valid signature for the benign part of the template.

Affected Users

  1. CLI Users: Those executing custom code templates from unverified sources. This includes templates authored by third parties or obtained from unverified repositories.
  2. SDK Users: Developers integrating Nuclei into their platforms, particularly if they permit the execution of custom code templates by end-users.

[!NOTE] Code templates are disabled as default, users have to explicitly enable with -code option.

Proof of Concept

```yaml id: example-template info: name: Example Template

Other benign content...

digest:

digest: \r

code:\r - engine:\r - sh\r - bash\r source: |\r id\r ```

Patches

  1. The vulnerability is addressed in Nuclei v3.3.2 Users are strongly recommended to update to this version to mitigate the security risk.
  2. Fix reference - https://github.com/projectdiscovery/nuclei/commit/0da993afe6d41b4b1b814e8fad23a2acba13c60a

Mitigation

  • Immediate Upgrade: The primary recommendation is to upgrade to Nuclei v3.2.0, where the vulnerability has been patched.
  • Avoid Unverified Templates: As an interim measure, users should refrain from using custom templates if unable to upgrade immediately. Only trusted, verified templates should be executed.

Workarounds

If you are unable to upgrade nuclei, disable running custom code templates as workaround.

Acknowledgments

We would like to thank Guy Goldenberg from Wiz who reported this to us via our security email, security@projectdiscovery.io.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/projectdiscovery/nuclei/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-43405"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-04T17:38:24Z",
    "nvd_published_at": "2024-09-04T16:15:06Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\nA vulnerability has been identified in Nuclei\u0027s template signature verification system that could allow an attacker to bypass the signature check and possibly execute malicious code via custom code template.\n\n## Affected Component\nThe vulnerability is present in the template signature verification process, specifically in the `signer` package.\n\n## Description\nThe vulnerability stems from a discrepancy between how the signature verification process and the YAML parser handle newline characters, combined with the way multiple signatures are processed. This allows an attacker to inject malicious content into a template while maintaining a valid signature for the benign part of the template.\n\n### Affected Users\n1. **CLI Users:** Those executing **custom code templates** from unverified sources. This includes templates authored by third parties or obtained from unverified repositories.\n2. **SDK Users:** Developers integrating Nuclei into their platforms, particularly if they permit the execution of **custom code templates** by end-users.\n\n\u003e [!NOTE]\n\u003e Code templates are disabled as default, users have to explicitly enable with `-code` option. \n\n## Proof of Concept\n\n```yaml\nid: example-template\ninfo:\n  name: Example Template\n# Other benign content...\n# digest: \u003cvalid_signature_for_benign_content\u003e\n# digest: \u003canother_signature\u003e\\r\ncode:\\r\n  - engine:\\r\n      - sh\\r\n      - bash\\r\n    source: |\\r\n      id\\r\n```\n### Patches\n1. The vulnerability is addressed in Nuclei v3.3.2 Users are strongly recommended to update to this version to mitigate the security risk.\n2. Fix reference - https://github.com/projectdiscovery/nuclei/commit/0da993afe6d41b4b1b814e8fad23a2acba13c60a\n\n### Mitigation\n- **Immediate Upgrade**: The primary recommendation is to upgrade to Nuclei v3.2.0, where the vulnerability has been patched.\n- **Avoid Unverified Templates**: As an interim measure, users should refrain from using custom templates if unable to upgrade immediately. Only trusted, [verified templates](https://github.com/projectdiscovery/nuclei-templates) should be executed.\n\n### Workarounds\nIf you are unable to upgrade nuclei, disable running custom code templates as workaround.\n\n## Acknowledgments\n\nWe would like to thank [Guy Goldenberg](https://github.com/GuyGoldenberg) from Wiz who reported this to us via our security email, [security@projectdiscovery.io](mailto:security@projectdiscovery.io).",
  "id": "GHSA-7h5p-mmpp-hgmm",
  "modified": "2024-10-14T14:19:19Z",
  "published": "2024-09-04T17:38:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-7h5p-mmpp-hgmm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43405"
    },
    {
      "type": "WEB",
      "url": "https://github.com/projectdiscovery/nuclei/commit/0da993afe6d41b4b1b814e8fad23a2acba13c60a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/projectdiscovery/nuclei"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2024-3114"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Nuclei Template Signature Verification Bypass"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.