CVE-2023-38198
📋 TL;DR
CVE-2023-38198 is a critical remote code execution vulnerability in acme.sh, an ACME protocol client for obtaining TLS certificates. The vulnerability allows attackers to execute arbitrary commands on affected systems by exploiting improper input validation in eval() calls. Anyone using acme.sh versions before 3.0.6 for automated certificate management is affected.
💻 Affected Systems
- acme.sh
📦 What is this software?
Acme.sh by Acme.sh Project
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands with the privileges of the acme.sh process, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Attackers gain shell access to the affected system, allowing them to steal sensitive data, install cryptocurrency miners, or pivot to other systems in the network.
If Mitigated
If proper network segmentation and least privilege principles are followed, impact may be limited to the specific service account running acme.sh.
🎯 Exploit Status
Exploited in the wild since June 2023. Attackers can trigger the vulnerability by manipulating responses from certificate authorities or MITM attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.6
Vendor Advisory: https://github.com/acmesh-official/acme.sh/releases/tag/3.0.6
Restart Required: No
Instructions:
1. Update acme.sh using: acme.sh --upgrade
2. Alternatively, manually update to version 3.0.6 or later
3. Verify the update completed successfully
🔧 Temporary Workarounds
Disable automatic certificate renewal
linuxTemporarily disable automated certificate renewal to prevent exploitation while planning permanent fix
crontab -e # Remove or comment out acme.sh renewal entries
Network isolation
linuxRestrict network access for systems running acme.sh to only necessary certificate authorities
iptables -A OUTPUT -p tcp --dport 443 -d letsencrypt.org -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict network controls to limit acme.sh communication to trusted certificate authorities only
- Run acme.sh with minimal privileges using a dedicated service account with no sudo access
🔍 How to Verify
Check if Vulnerable:
Check acme.sh version: acme.sh --version | head -1Check Version:
acme.sh --version | head -1Verify Fix Applied:
Verify version is 3.0.6 or later: acme.sh --version | grep -q '3.0.6\|^3\.[1-9]\|^[4-9]' && echo 'Patched'📡 Detection & Monitoring
Log Indicators:
- Unusual command execution patterns in system logs
- Unexpected network connections from acme.sh process
- Certificate renewal failures or anomalies
Network Indicators:
- Unusual outbound connections from acme.sh to non-CA endpoints
- DNS queries to suspicious domains during certificate renewal
SIEM Query:
process.name:"acme.sh" AND (network.destination.ip:!"letsencrypt.org" OR network.destination.ip:!"acme-v02.api.letsencrypt.org")🔗 References
- http://www.openwall.com/lists/oss-security/2023/07/13/1
- https://github.com/acmesh-official/acme.sh/issues/4659
- https://github.com/acmesh-official/acme.sh/releases/tag/3.0.6
- https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/heXVr8o83Ys
- https://news.ycombinator.com/item?id=36252310
- https://news.ycombinator.com/item?id=36254093
- https://www.reddit.com/r/netsec/comments/144ygg7/acmesh_runs_arbitrary_commands_from_a_remote/
- http://www.openwall.com/lists/oss-security/2023/07/13/1
- https://github.com/acmesh-official/acme.sh/issues/4659
- https://github.com/acmesh-official/acme.sh/releases/tag/3.0.6
- https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/heXVr8o83Ys
- https://news.ycombinator.com/item?id=36252310
- https://news.ycombinator.com/item?id=36254093
- https://www.reddit.com/r/netsec/comments/144ygg7/acmesh_runs_arbitrary_commands_from_a_remote/
