<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Acme - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/acme/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 23 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/acme/feed.xml" rel="self" type="application/rss+xml"/><item><title>Lego ACME Client Arbitrary File Write via Path Traversal</title><link>https://feed.craftedsignal.io/briefs/2024-01-23-lego-path-traversal/</link><pubDate>Tue, 23 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-23-lego-path-traversal/</guid><description>The lego ACME client is vulnerable to arbitrary file write and deletion via path traversal, where a malicious ACME server can supply a crafted challenge token containing `../` sequences, causing lego to write attacker-influenced content to any path writable by the lego process, potentially leading to remote code execution, data destruction, or privilege escalation.</description><content:encoded><![CDATA[<p>The <code>go-acme/lego</code> library, a popular ACME client, is susceptible to a path traversal vulnerability within its webroot HTTP-01 challenge provider. This flaw allows a malicious ACME server to manipulate the file paths used by <code>lego</code> when responding to certificate requests. By providing a crafted challenge token containing <code>../</code> sequences, the attacker can force <code>lego</code> to write data to arbitrary locations on the filesystem, bypassing the intended webroot directory. This vulnerability affects versions prior to 4.34.0 (v4), 3.9.0 (v3), and 2.7.2 (v2), potentially impacting any system where <code>lego</code> is used for automated certificate management. Successful exploitation could lead to remote code execution, data destruction, or privilege escalation, depending on the context and permissions of the <code>lego</code> process.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Victim configures <code>lego</code> to use a malicious ACME server using the <code>--server</code> flag.</li>
<li>Victim specifies a webroot directory using the <code>--http.webroot</code> flag, such as <code>/var/www/html</code>.</li>
<li>Victim initiates a certificate request using <code>lego run</code> with a targeted domain.</li>
<li>The malicious ACME server responds with a crafted challenge token containing path traversal sequences like <code>../../../../../../tmp/evil</code>.</li>
<li><code>lego</code> concatenates the webroot path with the malicious token using <code>filepath.Join()</code>.</li>
<li><code>lego</code> calls <code>os.MkdirAll()</code> to create the directory structure for the file path.</li>
<li><code>lego</code> writes the key authorization content to the file path resolved with path traversal via <code>os.WriteFile()</code>.</li>
<li>The key authorization is written to an arbitrary location (e.g., <code>/tmp/evil</code>) outside of the webroot, and could be used to overwrite config files, systemd units, etc.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This path traversal vulnerability (CVE-2026-40611) allows a malicious ACME server to write arbitrary files to the filesystem. Any user running <code>lego</code> with the HTTP-01 challenge solver against a malicious or compromised ACME server is affected. This can lead to remote code execution by writing to cron directories, systemd unit paths, shell profiles, or web application directories served by the webroot. Data can be destroyed by overwriting configuration files, TLS certificates, or application state. Privilege escalation is possible if <code>lego</code> runs as root, granting unrestricted filesystem write access. The <code>CleanUp()</code> function also enables arbitrary file deletion using the same unsanitized token.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade <code>go-acme/lego</code> to version 4.34.0 or later to patch CVE-2026-40611.</li>
<li>Implement input validation on the ACME token received from the ACME server to prevent path traversal sequences.</li>
<li>Deploy the Sigma rule &quot;Detect Lego Path Traversal Attempt via Challenge Token&quot; to identify attempts to exploit the vulnerability (see below).</li>
<li>Monitor filesystem writes performed by the <code>lego</code> process, especially to sensitive directories. Enable Sysmon file creation logging to facilitate this monitoring.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>path-traversal</category><category>acme</category><category>lego</category><category>certificate-management</category><category>cve-2026-40611</category></item></channel></rss>