Disclosure: Supervisor security vulnerability

No, it was fixed with version 2023.03.1

1 Like

And this is exactly why I will never ever expose my HA instance to the public internet. And this is exactly why people want to secure their HA instace with an independent HTTP Basic Auth… So make this happen I guess.

Thanks for disclosing, still.

5 Likes

I can’t say for 100% that I was affected but I do use Duck DNS and WireGuard and I did have some strange behavior. Lutron Lights coming on when they shouldn’t, the HA web-interface not loading. Again can’t say this security issue was the cause .

My Firewalla Purple SE has been telling me it’s blocked Heartbleed attacks on my Homeassistant on multiple occasions (that has duckdns access). Could this be related to this security issue?

No. Heartbleed was a generic OpenSSL issue, read more about that here: https://en.wikipedia.org/wiki/Heartbleed.

1 Like

Are instances behind a firewall (no port forwarding), connected via the nabu casa cloud also vulnerable?

Was the system also vulnerable if you use the nginx addon?

Yes, those were also vulnerable and not excluded in the announcement either. Home Assistant Cloud is end-to-end encrypted, and thus they can’t intercept or filter the contents of the communication that goes through it.

3 Likes

Yes, as this still exposed your Home Assistant instance.

2 Likes

@frenck , is there a way we can check for a specific instance if this vulnerability has been used/abused ? Maybe through logging of some sort ? Can we look out for something specific ?

This isn’t quite clear to me.

Followed by

(To the network security uneducated, ahem, me) they feel like contradictory statements.

I’m not trying to be difficult, I genuinely don’t still don’t know if only exposing HA via Nabu Casa left me vulnerable?

I have no reason to believe that I have been affected, I’m just curious.

Unfortunately, there is not way to conclude that.

2 Likes

I have had lights etc coming on/off when they shouldn’t too, and sometimes would think, “did somebody hack my system???” But in the end it has always just been my own poorly coded automations. :wink:

13 Likes

I have to ask / confirm,

“A fix for this security issue has been rolled out to all affected Home Assistant users via the Supervisor auto-update system and this issue is no longer present.”

Home assistant can automatically be updated remotely by the team?? It seems I already have the patch but don’t remember updating supervisor within the last month. I thought all updates are user opt-in? Thanks to the teams quick action on this exploit, but I’m not overly keen to have a system that automatically updates without the owners knowledge.

1 Like

You can verify that you received the update on the Home Assistant About page and verify that you are running Supervisor 2023.03.1 or later. If you do not see a Supervisor version on your About page, you do not use one of the affected installation types and have not been vulnerable.

The issue has also been mitigated in Home Assistant 2023.3.0. This version was released on March 1 and has since been installed by 33% of our users.

1 Like

It was clearly answered to you in the first words. What is not clear about that? :man_shrugging:

It means that all communication is 1-to-1, as it is end-to-end encrypted. There is nothing done with communication from the internet to your instance. As it is end-to-end encrypted, meaning nothing can be seen, read, filtered, or modified along the way.

If you run Home Assistant OS or Home Assistant Supervised, you have been affected by the vulnerability disclosed in this announcement.

…/Frenck

2 Likes

The Supervisor is set to update itself automatically unless turned off

2 Likes

ah I did not know this, where is this setting?..

Have a look at this post, its done via the cli. But note the couple of caveats with disabling it listed in the same post.

Feature request: block supervisor auto-updates - Feature Requests - Home Assistant Community (home-assistant.io)

1 Like

Question about the event itself in HA. I have a dashboard for software updates and events, is there an entity for this “Security Disclosure”, so that I can have a conditial card to show it when a next event occurs?