Disclosure: Supervisor security vulnerability

Should I raise the issue in the Core or Supervisor repository?

Core I think might be best now.

1 Like

I understand that you have to deal with so many user interaction so you cannot write a novel every time and with synthesis comes misinterpretation, let’s be friends :slight_smile:

Ok, thanks to @gubiq that opened up the Pandora vase to me. I wasn’t aware about the certificates listings.
In fact the service I’m managing for my customers use wildcards because I’m not offering E2E encryption, now I perfectly understand what you’re meaning.

So, thank you very much for the explanation, I think it’s very important to know exactly how all those stuffs works to make an informed decision. Understand is power :slight_smile:
I’ll spread in the Italian community what I’ve learned here.

PS: I’ll remain a paying customer of Nabu Casa as I’m happy to give my small contribution to keep the project alive and growing. And to let you manage security vulnerabilities in a serious way like you’re doing. Good work.

3 Likes

I updated to the most recent hassOS. 2FA is enabled for only 2 of 3 users.

If some attacker were to exploit this vulnerability, would they still be able to access my Home Assistant after updating to the most recent update?

Yes, I do this and have done from the very beginning of using NC. I am not paranoid by nature but I like to take precautions where I can because I know very well that a little knowledge is a very dangerous thing and in the realms of cyber security I do only have a little knowledge.

Anyway, toggling the NC Remote UI on and off works well for me and at least it means I was safe for maybe 60% of the time.

Yeah I know, that wasn’t really meant to be taken seriously.

well, I do :wink:

and now that I see this, I realize I am not 100% certain what that means… I mean, I am logged into my account, but the cloud remote is off.

But it the top panel says ‘Cloud-connection-status: connected’ (Cloudverbindingsstatus: Verbonden).
Why am I still connected if my remote connection is turned off…
shouldn’t the account login be toggled either?

or is that just an incorrect wording for being an active subscriber…

You’re connected so that things like Google Assistant/Alexa work… you can use those without the remote UI.

ok thanks, so, if I want complete cloud cutoff, I also toggle these:

and then the top toggle in the NabuCasa panel would also turn-off?

Is the current security breach also impacted by those services (or vice versa), and, what is the instruction to do with those services?

Well, if you want to have complete cutoff you’d want to log out.

I can’t answer that, but do what you want :wink: I’m keeping mine active as doing it manually is a faff and I’m lazy.

Sure , we’re all lazy :wink:
what I am asking though is if we are impacted in that area too, and what the directives are by the NC security team.

1 Like

I hope you are also fixing the system so that the Supervisor is not exposed over protected instances using the PAID Nabu Casa service, irrelevantly whether it is vulnerable anymore or not. This is not advertised as being exposed.

2 Likes

Frenck is using standard terminology as it relates to security. You can do your own search to confirm this or look at this page from a tech giant.

4 Likes

You’re an admin and lazy with security? Wow :open_mouth:

Way to go on taking something out of context…

3 Likes

sure, keep up the lingo/shop talk and wonder why you lose simple end-users.

in matters like these, the ‘learned’ should descend from their towers of knowledge, and talk to us simple minds in simple words. I know it’s hard to imagine folks not understanding ‘standard terminology’ you might live and breathe.

simply referring to a tech giants website is hardly acceptable service for a Home Assistant provider talking to its customers.

So I am glad NC did not do that.

Second to that, it would have been way underestimating the issue at hand, because we still don’t know which credentials we are required to ‘rotate’…

7 Likes

My understanding (based on what’s been said above) would be everything HA had access to. If it would have been in a backup, it’s potentially at risk. That would include any MFA secrets too (such as if you were doing TOTP MFA in HA).

uhm, that would be even worse than I feared…

so to be safe we should in fact delete our backups too?

this would btw also be a good reminder not to use the secrets.yaml file for anything not strictly essential for ones HA instance… I confess having stored various snippets of stuff just to keep at hand, but now realize these need to be cleansed as well.

Would it be feasible for HA to create some listing in the supervisor of credentials overall (at least the add-ons), and guide us through changing these 1 by 1?

maybe in repairs:
we noted 6 set of locally stored credentials are possibly breached, you should renew 1,2,3,4,5,6 etc etc

probably some of the more important ones would be the HA account logging in to the router for cam access etc, and ones NAS

1 Like

IMO one challenge there will be all the UI integrations that can only be changed by removing the integration and setting it up again. I see a lot of people not changing credentials because of the level of pain there.

5 Likes

yes, I can see that. Seems a serious downside to the UI config of those.

It would be a good start though to list them. so we are aware at least.

2 Likes

First of all, everything Home assistant has authorized access to may be compromised. So good to go to change it. @frenck mentioned it is good to do it regualary. But for most Integrations I only had the option to remove it and add it again. Wonder if this ist normal when changing regualary is considered as “daily doing”. Or have I missed something?

Some say it is problematic that home assistant has also LAN Access (if not in own vlan). We’ll I think don’t make it too dramatic. I think most of us have several generic WiFi devices in ther normal daily driver LAN. Do you check the firmware inspect the Hardware/circut boards or restrict the internet access? Otherwise this could bei malicious too just by manufacturer. This is for every device. Saying that, that’s no reason to make you LAN public. It is best to use the authentication mechanism of each device to protect them. You never should Trust your own LAN (at least normal consumers).

In my opinion there should bei an integrity check and info in which kind backups or persisted volumes could be compromised. Would good to know If there may be malicious Code injected or rce would have been possible by the exploit. Just missing this information and I am concerned since you could have installed addons via Supervisior API. I mean it is running in a container so either the Host like HassOS may be infected or there is some malicious stuff in the Volume. Otherwise ha-core updated would pull a new Image.

Also for backups. Is there any code backuped or only config, If so maybe you could manually check it an be sure that the config is only from you.