Let's Encrypt ACME Client and Library HTTPS Enforcement Vulnerability

A vulnerability exists in the Let's Encrypt client and ACME library, known as Lego, specifically in versions through 4.25.1. The issue arises because the library does not enforce HTTPS when the ACME client communicates with Certificate Authorities (CAs). While the http-01 challenge is conducted over unencrypted HTTP, the ACME protocol mandates HTTPS for client-CA interactions. This vulnerability allows operations to be inadvertently performed over HTTP, exposing sensitive request and response details, such as account and request identifiers, to potential interception by network attackers.

Impact

Exploitation of this vulnerability could lead to unauthorized interception of sensitive data, including account and request identifiers, which could be exploited by an attacker in a privileged network position.

Reproduction

The vulnerability can be reproduced by using the Lego ACME client library version through 4.25.1 and configuring it to use a CA that does not properly enforce HTTPS. This can be done by inputting an HTTP URL or by using a CA that misconfigures its endpoints to HTTP. Once the client is set up, perform any ACME function that involves communication with the CA, such as creating an account or ordering a certificate. The test must be placed inside the source directory of the 'github.com/go-acme/lego/v4/acme/api' to run.

Remediation

Users can update to Lego version 4.25.2 or later, where this vulnerability has been fixed.