Does this impact Let’s Encrypt? If so, what are the consequences?
Not sure if this was exploitable in boulder at the time.
It does not impact Let’s Encrypt. @kaepora’s tweet is inaccurate; ACME does not rely on JWE at all. Let’s Encrypt’s ACME server implementation, Boulder, uses Square’s
go-jose library but again, not JWE, just JWS.
We are not aware of any impact on Let’s Encrypt from this vulnerability.
The tweet is indeed inaccurate, but AIUI the multi-signature exploit affects JWS as well, though I’m not sure if boulder was using it in a way that made it vulnerable.
Even assuming boulder was vulnerable, a successful attack would still require a MitM position between the client and the CA (… which is often enough to pass DV challenges anyway, depending on the challenge type) as well as a publicly-trusted TLS certificate for the CA server (… which means the attacker already compromised a CA anyway), so the would most likely be no practical way to exploit this.
@pfg As far as I understand the weakness, a MitM is not necessary, it only require the ability of the attacker to generate requests. And the effect is the compromise of the private key. Am I missing something? (that told, I don’t say Let’s Encrypt were vulnerable!)
@cpu thanks for the quick answer!
I think the vulnerability you’re describing affects JWE (which boulder doesn’t use), but not JWS. The one that affects JWS is the multi-signature exploit, but that one “merely” allows a signature check bypass.
The tweet in question has already been removed.
Although the tweet was correct about the vulnerability (nobody will deny that), the fact it mentioned ACME/Let’s Encrypt so blatantly warranted the removal (by the original poster I assume ) IMO