A low-budget Chinese certificate authority (CA) HiCA also known as QuantumCA has been abusing a remote code execution flaw in ACME clients as part of their certificate issuance process.

Acme.sh is a script written purely in bash language used to automatically generate and issue SSL certificates. By default, acme.sh is used to ease the generation and renewal of Lets Encrypt SSL certificates but it also supports other free SSL certificates.

According to software developer Matt Holt, who discovered the issue, HiCA's documentation states that it only supports acme.sh as a client.

While obtaining a certificate using ACMEz, Holt discovered that the Directory was blocked unless the User-Agent is set to a string that starts with Mozilla or acme.sh/2.8.2.

“Once I faked the UA in my own client and got that working, issuance still failed. Curiously, the error message involved trying a URL of ../pki-validation,” Holt wrote in a post on GitHub.

As per the tech blog Hackaday, HiCA was working as a CA-in-the-Middle, wrapping other CA’s authentication services. Those services don’t support ACME authentication at all, and HiCA used the acme.sh vulnerability to put the authentication token in the place SSL.com expected to find it.

The abused bug, which has yet to receive a CVE ID, is an OS command injection issue that allows a remote attacker to execute arbitrary shell commands on the target system. The vulnerability exists due to improper input validation when parsing certificates. A remote attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system. The flaw affects acme.sh v1.2.2 - 3.0.5.

“Once found, it sends the signed certificates to HiCA, who then forwards them on to the end user. And that’s the problem. HiCA has access to the key of every SSL cert they handled. This doesn’t allow encryption, but these keys could be used to impersonate or even launch MitM attacks against those domains,” Hackaday explains, noting that there’s no evidence that the company was capturing those keys.

As for HiCA, a somewhat cryptic notice on the company’s website states that it has stopped operations as of June 6, 2023 “due to security incidents.”

“Due to security incidents, HiCA stopped all business since June 6th, 2023. All issued certificates shall consider switch to other CAs service. Deeply sorry to all subscribers. And one word to gzchenjz, please stop from all DDoS behaviors. All evidence gets solid and we shall take lawsuit if you don't stop it,” the message reads.