Full Report
Wiz’s engineering team discovered a high-severity signature verification bypass in Nuclei, one of the most popular open-source security tools, which could potentially lead to arbitrary code execution.
Analysis Summary
# Vulnerability: Nuclei Signature Verification Bypass Leading to Arbitrary Code Execution
## CVE Details
- CVE ID: CVE-2024-43405
- CVSS Score: High (Specific score not detailed, described as "significant" and "high severity")
- CWE: Potentially related to CWE-20 (Improper Input Validation) or CWE-502 (Deserialization of Untrusted Data) due to template parsing/execution logic.
## Affected Systems
- Products: Nuclei (by ProjectDiscovery)
- Versions: Prior to 3.3.2
- Configurations: Any configuration utilizing the `code` protocol templates, especially when untrusted or unverified templates sourced outside of the official repository might be processed.
## Vulnerability Description
The vulnerability resides in the signature verification mechanism used by Nuclei for its YAML-based templates, specifically those using the `code` protocol which allows for local host command execution. Nuclei relies solely on a signature embedded via the `# digest:` line (ASN.1 ECDSA P-256 SHA-256) to validate template integrity. Researchers discovered a bypass to this signature verification process. Successfully bypassing the check allows an attacker to inject and run arbitrary, malicious templates on the host executing Nuclei, leading to command execution or data exfiltration (e.g., reading sensitive files like `/etc/shadow`).
## Exploitation
- Status: Not explicitly stated as exploited in the wild; discovered by Wiz engineering team.
- Complexity: Implied to be relatively complex given the discovery involved deep analysis of ASN.1/ECDSA verification logic, but high impact if achieved.
- Attack Vector: Local/Network (via providing a malicious template file to the scanner engine).
## Impact
- Confidentiality: High (Potential for reading sensitive system files like `/etc/shadow`).
- Integrity: High (Ability to execute arbitrary code on the host).
- Availability: High (Potential for system compromise leading to service disruption).
## Remediation
### Patches
- Upgrade Nuclei to version **3.3.2 or later**.
### Workarounds
1. **Run in an Isolated Environment**: Always execute Nuclei within a sandboxed or highly isolated environment to contain potential breaches if untrusted templates are processed.
2. **Strictly Validate Template Sources**: Only use templates from trusted sources.
## Detection
- Due to the nature of the bypass relating to parser logic, specific IoCs are template-dependent.
- **Detection Strategy**: Monitor for anomalous outbound network connections originating from the host running Nuclei templates, especially when using the `code` protocol, as malicious templates may attempt data exfiltration.
- **General Mitigation**: Implement defense-in-depth by locking down the execution environment of security tools like Nuclei.
## References
- Vendor Advisory (ProjectDiscovery): Search archives for Nuclei 3.3.2 release notes or security advisories from September 2024.
- Wiz Research Blog (Published December 18, 2024): Mentioned in the context of the disclosure timeline.