CVE-2023-38198: 
NixOS vulnerability analysis and mitigation

CVE-2023-38198 is a critical vulnerability discovered in acme.sh versions before 3.0.6, where the software runs arbitrary commands from a remote server via eval, as exploited in the wild in June 2023. This vulnerability affects the ACME client software used for automated certificate management (NVD, OSS Security).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The core issue stems from the use of eval to execute commands received from remote servers during the certificate obtaining process, which allows for arbitrary code execution. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code - 'Code Injection') (NVD).

The vulnerability allows attackers to execute arbitrary commands on client machines running acme.sh, potentially leading to complete system compromise. This could result in unauthorized access to private keys, system information, and other sensitive data. The impact is particularly severe as the software is commonly used for managing SSL/TLS certificates (GitHub Issue).

The vulnerability has been patched in acme.sh version 3.0.6. Users are strongly advised to upgrade to this version or later immediately. No alternative workarounds are available, making the upgrade the only effective mitigation strategy (GitHub Release).

The discovery sparked significant discussion in the security community, particularly regarding the practice of CA resellers exploiting vulnerabilities in ACME clients. The incident led to SSL.com discontinuing their relationship with the involved parties and revoking associated certificates. The community expressed strong concerns about the security implications and the potential abuse of trust in the certificate issuance process (HN Discussion, Mozilla Dev).