Disclosure: Supervisor security vulnerability

Thanks Paulus for the update and the push notification in HA

I am wondering, was the vunerability via http access? My device (rpi) running HA is only accessable on the http port.

If I understand this correctly, anyone using simple techniques to allow remote access to their instance (e.g. port forwarding through their router, DuckDNS) would have been vulnerable to this up till 1st March. Is that correct?

If so, what actions should people take to verify their system hasn’t been compromised?

Kudos to HA for announcing this prominently as an alert in HA!

Check for any suspicious addons

edit: here’s a list of the current endpoints for the api. not sure what changes it has undergone since 2017

Endpoints | Home Assistant Developer Docs (home-assistant.io)

Good thing I’m being paranoid and only vpn to my instance.

Anyway should I “ignore” this action when it’s already been addressed?
I feel like some other button label would be more appropriate - like “confirm”, “dismiss” or just plain “ok”.

so im affected by this. how do i resolve this?
im using nabu casa

thanks for the warning.
At the moment I am in the testing phase and I doubt that someone has had time to attack me, since my home assistant installation is not more than 2 months old and is usually always updated.
Más información sobre thanks

No, it was fixed with version 2023.03.1

And this is exactly why I will never ever expose my HA instance to the public internet. And this is exactly why people want to secure their HA instace with an independent HTTP Basic Auth… So make this happen I guess.

Thanks for disclosing, still.

I can’t say for 100% that I was affected but I do use Duck DNS and WireGuard and I did have some strange behavior. Lutron Lights coming on when they shouldn’t, the HA web-interface not loading. Again can’t say this security issue was the cause .

My Firewalla Purple SE has been telling me it’s blocked Heartbleed attacks on my Homeassistant on multiple occasions (that has duckdns access). Could this be related to this security issue?

No. Heartbleed was a generic OpenSSL issue, read more about that here: https://en.wikipedia.org/wiki/Heartbleed.

Are instances behind a firewall (no port forwarding), connected via the nabu casa cloud also vulnerable?

Was the system also vulnerable if you use the nginx addon?

Yes, those were also vulnerable and not excluded in the announcement either. Home Assistant Cloud is end-to-end encrypted, and thus they can’t intercept or filter the contents of the communication that goes through it.

Yes, as this still exposed your Home Assistant instance.

@frenck , is there a way we can check for a specific instance if this vulnerability has been used/abused ? Maybe through logging of some sort ? Can we look out for something specific ?

This isn’t quite clear to me.

Followed by

(To the network security uneducated, ahem, me) they feel like contradictory statements.

I’m not trying to be difficult, I genuinely don’t still don’t know if only exposing HA via Nabu Casa left me vulnerable?

I have no reason to believe that I have been affected, I’m just curious.

Unfortunately, there is not way to conclude that.

I have had lights etc coming on/off when they shouldn’t too, and sometimes would think, “did somebody hack my system???” But in the end it has always just been my own poorly coded automations.