{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/lego/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["lego"],"_cs_severities":["high"],"_cs_tags":["path-traversal","acme","lego","certificate-management","cve-2026-40611"],"_cs_type":"advisory","_cs_vendors":["go-acme"],"content_html":"\u003cp\u003eThe \u003ccode\u003ego-acme/lego\u003c/code\u003e library, a popular ACME client, is susceptible to a path traversal vulnerability within its webroot HTTP-01 challenge provider. This flaw allows a malicious ACME server to manipulate the file paths used by \u003ccode\u003elego\u003c/code\u003e when responding to certificate requests. By providing a crafted challenge token containing \u003ccode\u003e../\u003c/code\u003e sequences, the attacker can force \u003ccode\u003elego\u003c/code\u003e to write data to arbitrary locations on the filesystem, bypassing the intended webroot directory. This vulnerability affects versions prior to 4.34.0 (v4), 3.9.0 (v3), and 2.7.2 (v2), potentially impacting any system where \u003ccode\u003elego\u003c/code\u003e is used for automated certificate management. Successful exploitation could lead to remote code execution, data destruction, or privilege escalation, depending on the context and permissions of the \u003ccode\u003elego\u003c/code\u003e process.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eVictim configures \u003ccode\u003elego\u003c/code\u003e to use a malicious ACME server using the \u003ccode\u003e--server\u003c/code\u003e flag.\u003c/li\u003e\n\u003cli\u003eVictim specifies a webroot directory using the \u003ccode\u003e--http.webroot\u003c/code\u003e flag, such as \u003ccode\u003e/var/www/html\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eVictim initiates a certificate request using \u003ccode\u003elego run\u003c/code\u003e with a targeted domain.\u003c/li\u003e\n\u003cli\u003eThe malicious ACME server responds with a crafted challenge token containing path traversal sequences like \u003ccode\u003e../../../../../../tmp/evil\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003elego\u003c/code\u003e concatenates the webroot path with the malicious token using \u003ccode\u003efilepath.Join()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003elego\u003c/code\u003e calls \u003ccode\u003eos.MkdirAll()\u003c/code\u003e to create the directory structure for the file path.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003elego\u003c/code\u003e writes the key authorization content to the file path resolved with path traversal via \u003ccode\u003eos.WriteFile()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe key authorization is written to an arbitrary location (e.g., \u003ccode\u003e/tmp/evil\u003c/code\u003e) outside of the webroot, and could be used to overwrite config files, systemd units, etc.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis path traversal vulnerability (CVE-2026-40611) allows a malicious ACME server to write arbitrary files to the filesystem. Any user running \u003ccode\u003elego\u003c/code\u003e with the HTTP-01 challenge solver against a malicious or compromised ACME server is affected. This can lead to remote code execution by writing to cron directories, systemd unit paths, shell profiles, or web application directories served by the webroot. Data can be destroyed by overwriting configuration files, TLS certificates, or application state. Privilege escalation is possible if \u003ccode\u003elego\u003c/code\u003e runs as root, granting unrestricted filesystem write access. The \u003ccode\u003eCleanUp()\u003c/code\u003e function also enables arbitrary file deletion using the same unsanitized token.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003ego-acme/lego\u003c/code\u003e to version 4.34.0 or later to patch CVE-2026-40611.\u003c/li\u003e\n\u003cli\u003eImplement input validation on the ACME token received from the ACME server to prevent path traversal sequences.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Lego Path Traversal Attempt via Challenge Token\u0026quot; to identify attempts to exploit the vulnerability (see below).\u003c/li\u003e\n\u003cli\u003eMonitor filesystem writes performed by the \u003ccode\u003elego\u003c/code\u003e process, especially to sensitive directories. Enable Sysmon file creation logging to facilitate this monitoring.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-23-lego-path-traversal/","summary":"The lego ACME client is vulnerable to arbitrary file write and deletion via path traversal, where a malicious ACME server can supply a crafted challenge token containing `../` sequences, causing lego to write attacker-influenced content to any path writable by the lego process, potentially leading to remote code execution, data destruction, or privilege escalation.","title":"Lego ACME Client Arbitrary File Write via Path Traversal","url":"https://feed.craftedsignal.io/briefs/2024-01-23-lego-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed - Lego","version":"https://jsonfeed.org/version/1.1"}