Skip to content

Nuclei Template Signature Verification Bypass

High
ehsandeep published GHSA-7h5p-mmpp-hgmm Sep 4, 2024

Package

gomod github.com/projectdiscovery/nuclei/v3 (Go)

Affected versions

> 3.0.0

Patched versions

3.3.2

Description

Summary

A vulnerability has been identified in Nuclei's template signature verification system that could allow an attacker to bypass the signature check and possibly execute malicious code via custom code template.

Affected Component

The vulnerability is present in the template signature verification process, specifically in the signer package.

Description

The vulnerability stems from a discrepancy between how the signature verification process and the YAML parser handle newline characters, combined with the way multiple signatures are processed. This allows an attacker to inject malicious content into a template while maintaining a valid signature for the benign part of the template.

Affected Users

  1. CLI Users: Those executing custom code templates from unverified sources. This includes templates authored by third parties or obtained from unverified repositories.
  2. SDK Users: Developers integrating Nuclei into their platforms, particularly if they permit the execution of custom code templates by end-users.

Note

Code templates are disabled as default, users have to explicitly enable with -code option.

Proof of Concept

id: example-template
info:
  name: Example Template
# Other benign content...
# digest: <valid_signature_for_benign_content>
# digest: <another_signature>\r
code:\r
  - engine:\r
      - sh\r
      - bash\r
    source: |\r
      id\r

Patches

  1. The vulnerability is addressed in Nuclei v3.3.2 Users are strongly recommended to update to this version to mitigate the security risk.
  2. Fix reference - 0da993a

Mitigation

  • Immediate Upgrade: The primary recommendation is to upgrade to Nuclei v3.2.0, where the vulnerability has been patched.
  • Avoid Unverified Templates: As an interim measure, users should refrain from using custom templates if unable to upgrade immediately. Only trusted, verified templates should be executed.

Workarounds

If you are unable to upgrade nuclei, disable running custom code templates as workaround.

Acknowledgments

We would like to thank Guy Goldenberg from Wiz who reported this to us via our security email, security@projectdiscovery.io.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
High
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

CVE ID

CVE-2024-43405

Weaknesses

Credits