0.73.2 - Security Incident

system · July 16, 2018, 8:35pm

Today we are releasing 0.73.2 to fix a security incident. We’ve discovered that 9 months ago, with the release of Home Assistant 0.56, we misconfigured the SSL context that aiohttp used (PR). By trying to do the right thing (use an up to date cert store instead of relying on the system certs), we ended up doing the complete opposite: SSL verification was disabled for outgoing requests that were done using the shared aiohttp session. This is our fault, and not aiohttp’s faults. The impact of this is that certain integrations in Home Assistant have been susceptible to man in the middle attacks.

A man in the middle attack is when an attacker is able to inject itself between you and the server you’re communicating with, allowing it to read and alter the communication. The odds of this happening at home is very rare, yet we wanted to be transparent about this incident.

After research, the following integrations have been impacted. Although the odds are extremely small, we still suggest that if you use any of these integrations, to create new API keys or change your password.

Also impacted, but integrations are read only:

For complete transparency, the following two sets of integrations also used aiohttp to send or retrieve data. However, they either did not transmit authentication or only communicated with local devices and services.

Affected, but not transmitting authentication:

Local, so cannot be impacted:

This is a companion discussion topic for the original entry at https://www.home-assistant.io/blog/2018/07/16/release-73-2/

jeremyowens · July 16, 2018, 8:55pm

Just upgraded from 0.73.1 to 0.73.2 and am now getting the following error message:

pi@ha:~ $ sudo service home-assistant status
● home-assistant.service - Home Assistant
   Loaded: loaded (/etc/systemd/system/home-assistant.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Mon 2018-07-16 16:52:07 EDT; 233ms ago
  Process: 1219 ExecStart=/srv/homeassistant/bin/hass -c /home/homeassistant/.homeassistant (code=exited, status=1/FAILURE)
 Main PID: 1219 (code=exited, status=1/FAILURE)

Jul 16 16:52:07 ha hass[1219]:   File "/srv/homeassistant/lib/python3.5/site-packages/homeassistant/__main__.py", line 352, in main
Jul 16 16:52:07 ha hass[1219]:     args = get_arguments()
Jul 16 16:52:07 ha hass[1219]:   File "/srv/homeassistant/lib/python3.5/site-packages/homeassistant/__main__.py", line 85, in get_arguments
Jul 16 16:52:07 ha hass[1219]:     import homeassistant.config as config_util
Jul 16 16:52:07 ha hass[1219]:   File "/srv/homeassistant/lib/python3.5/site-packages/homeassistant/config.py", line 162, in <module>
Jul 16 16:52:07 ha hass[1219]:     vol.All(cv.ensure_list, [auth.AUTH_PROVIDER_SCHEMA])
Jul 16 16:52:07 ha hass[1219]: AttributeError: module 'homeassistant.auth' has no attribute 'AUTH_PROVIDER_SCHEMA'
Jul 16 16:52:07 ha systemd[1]: home-assistant.service: Main process exited, code=exited, status=1/FAILURE
Jul 16 16:52:07 ha systemd[1]: home-assistant.service: Unit entered failed state.
Jul 16 16:52:07 ha systemd[1]: home-assistant.service: Failed with result 'exit-code'.

Any ideas on how to fix it?

balloob · July 16, 2018, 9:05pm

Please don’t use blog posts for raising issues, use the issue tracker instead.

It was reported here and has been fixed already.

balk77 · July 17, 2018, 3:02am

So, what is potentially the scope of a mitm in this context? An attacker could have access to the impacted service even when the machine running Hass is not exposed to the internet? Just to this service or to more?

balloob · July 17, 2018, 5:20am

Just the service.

JayOne73 · July 17, 2018, 8:38am

I’m using Hass.io with the DuckDNS add-on. Is this also affected with this security incident?

balloob · July 17, 2018, 8:50am

Hass.io add-ons are not impacted. Only if you are using any of the above integrations within Home Assistant (specified in your configuration.yaml)

klogg · July 17, 2018, 11:08am

EDIT: It was a stupid question. It has now appeared. I read elsewhere that there is a delay before hassio gets packaged once a new release comes out.

This feels like a stupid question…

I’m running hassio on HassOS.
Should I have a notification of there being a new version?
On ResinOS I had sensor badge appear on my home page and an indication on the hassio system page with an upgrade button.

BrianHanifin · July 17, 2018, 3:45pm

Does this only affect users that have been using the built in HTTPS encryption?

In other words, are users that use a Nginx Proxy (for example) to handle HTTPS traffic unaffected?

balloob · July 17, 2018, 4:16pm

Affects all users as it is affecting outgoing connections. Incoming connections have been and are fine.

techwithjake · July 17, 2018, 8:47pm

Stupid question but just want a little clarity. The integrations under “Local, so cannot be impacted”, we don’t need to change anything for those integrations then, correct?

balloob · July 17, 2018, 8:59pm

There are no stupid questions when it comes to security.

Correct, you don’t need to change anything for the local connections.

tielemans.jorim · July 18, 2018, 7:17am

It’s a pity you can’t simply generate new API keys for OpenALPR cloud. I asked them about it and the only way to get new ones is to (delete your old and) create a new account.
I have a question as well regarding the cloud-component: should we change our password for the Home Assistant Cloud, if yes, how?

balloob · July 18, 2018, 7:30am

You don’t have to change your password for Home Assistant Cloud. Your username and password were never transmitted via unverified SSL connections. Only short-lived access tokens.