acme.sh icon indicating copy to clipboard operation
acme.sh copied to clipboard

Published 20 hours ago verified publisher icon acmesh-official

CVE request for RCE discovered in #4659

Open aaomidi opened this issue 2 years ago • 7 comments

For the bug discovered in #4659, could the acmesh team request a CVE since it’s effectively allowing RCE?

I believe some of the instructions even tell the user to use root with this: https://github.com/acmesh-official/acme.sh/blob/b7caf7a0165d80dd1556b16057a06bb32025066d/README.md?plain=1#L145

aaomidi avatar Jun 09 '23 13:06 aaomidi

I'm searching google on how to request a CVE, sorry, I don't know that yet.

Neilpang avatar Jun 09 '23 13:06 Neilpang

I'm searching google on how to request a CVE, sorry, I don't know that yet.

https://cveform.mitre.org/

StayPirate avatar Jun 09 '23 13:06 StayPirate

There are three questions:

  1. The acme.sh arbitrary code execution vulnerability, this been fixed, which is good.
  2. Whether HiCA has used this vulnerability to execute malicious code, need to respond.
  3. HiCA claims that it has jointly built an ocsp responder with ssl.com in China, which requires ssl.com to respond, whether it complies with the CPS specification and BR.

BeSafee avatar Jun 09 '23 13:06 BeSafee

@BeSafee the second and third question is not relevant to this bug. AcmeSH isn’t a root program and won’t be handling those. For those you should reach out to the various root programs.

aaomidi avatar Jun 09 '23 13:06 aaomidi

GitHub provides CVE using their own advisory process, see https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/publishing-a-repository-security-advisory.

Going via Mitre is a last resort, so please use the published process.

waldiTM avatar Jun 09 '23 16:06 waldiTM

There are three questions:

  1. The acme.sh arbitrary code execution vulnerability, this been fixed, which is good.
  2. Whether HiCA has used this vulnerability to execute malicious code, need to respond.
  3. HiCA claims that it has jointly built an ocsp responder with ssl.com in China, which requires ssl.com to respond, whether it complies with the CPS specification and BR.

@BeSafee

about [1.], i agree.

for [2.], we have fully source code git log for the challenge responder controller, if you have known familiar auditor and willing to provide audit fee, welcome to review the git log.

and about [3.], ocsp responders management is a widely accepted solution. You may worried by looking at the ICP information subject is a Chinese company, but the domain ownership is controlled by CA so that's compliant to CA's CPS or CA/B Forum's BR. many CAs have OCSP responders interfaced by China ICP filled domain including sectigo、digicert and globalsign. So we believe it's fully compliant with ca/b forum BR. And is this associated with RCE or this ISSUE?

xiaohuilam avatar Jun 09 '23 17:06 xiaohuilam

about [1.], i agree.

Sorry, you don't. You/your company/whathever your business is, was the first to detect AND exploit that RCE possibility; instead of reporting it, you were exploiting it (for the good, maybe, but exploiting nevertheless).

My advice, please stop justifying about something that can't be justified.

solracsf avatar Jun 10 '23 07:06 solracsf

someone created a CVE: https://www.cve.org/CVERecord?id=CVE-2023-38198

Neilpang avatar Jul 14 '23 01:07 Neilpang