Do you use iOS? I can’t see any setting in the iOS app to support mTLS.
Currently using WireGuard to access hass etc.
Interesting points by both of you. I think these quotes above are related, so I’ll comment on it together.
To be compromised this way (i.e. not an exposed instance, but you’re pulling data from the internet), one must remember that there is still software processing any request, and that software can be tricked into doing things it wasn’t intended to do. The simplest (known) examples I can think of is e.g. PDF files of an unknown origin, but even image and video files, by exploiting bugs in the code that decodes (reconstructs by processing) the data. Similarly with e.g. trojans that enter by someone opening files in a malicious email.
As for sending Telegram notifications, I’d doubt it, unless one is able to receive messages (with malicious content).
But, to keep it simple: Either an attacker tries to punch a hole through the wall from the outside (cracking a password, making a request to an API with some data and make it crash in a particular way, etc.), or you get something/someone on the inside in a legit way, and then unlock the door from the inside (or punch a hole, to keep with the idiom). I didn’t want people to think just because their HA instance isn’t remotely accessible (e.g. by the companion app) that they’re safe. If your HA accesses internet services, you’re still technically open in some way. So, basically I’m thinking there are 3 categories: Remote access, accessing cloud services and fully local (on an isolated network at home, not at all connected to the internet). Everyone, just note I’m not referring here to this specific vulnerability. This is general commentary.
But it does make me think of something else now, which is how software can e.g. be tricked to download uploads not from a trusted source, but from a malicious source (easily doable if you have access to some local DNS services, like editing someone’s hosts file). There’s been some Windows vulnerabilities like that. As for HA, there’s really no signing or any form of verification. We all basically trust PyPi (the Python package repository) and GitHub (which is probably fair), but it’s good to understand that even then it is technically possible to put a package on PyPi that is malicious, if one can get access to the account for a package which publishes the package. There’s been some hacks like this in recent years via pip (the tool to manage packages on Python).
Sure, I didn’t mean to dismiss such cases. For me, it’s also critical to have remote access, even though dashboards and remote control for me are secondary things. I was just thinking that there are probably people out there running HA not even realising this, given what they’re doing (turning some lights on and such), or that if remote access is simply a nice to have and you’re worried about security, you could consider not exposing it.
2 Likes
Oh yeah, absolutely.
Hi
Where do you find documentation about that?
How could I go about the minimal exposure to run Google voice assistant and nothing else?
Thx
You don’t, it’s not supported/encouraged by the devs.
You could however have a look at this post and add /api/google_assistant to the allowed URLs. You need it to be fully open to set it up, and then you can lock it down.
I worked this out by simply checking the proxy logs to see what was being blocked and then selectively opening things up.
(I’ll see about writing this up on my blog, you’re not the first person to ask).
Well, then I can just keep using the telegram bot setup that I have now.
The HA app already today supports defining 2 different URLs, one for at-home-use, one for remote use. Having an access rights management system would be awesome, that would allow restricting usage to certain scenarios (read only, switch existing controls, trigger existing automations, …), with these restrictions only being able to be changed via local control, and then to keep using the normal app when not at home, but with e.g. a dedicated reduced dashboard for that.
I’m unfortunately not enough of a developer to actually implement something like it, my experience ends at the concept stage :-/
This is what I thought, if the attacker was in the network, they probably have gotten what they wanted already - changing passwords may or may not help - depending on the kind of backdoor they have left behind…
Which is why the thought of mitigating the issue by shutting my entire network down and giving up on IT came from… at least if bugs like this keep getting discovered
Another head scratcher I read about lately was the complete Secure Boot bypass vulnerability… you just can’t be secure nowadays.
Ohh they will, maybe not “bug like this” but bugs and vulnerabilities
Actually i still doesn’t know, haven’t seen a “detailed” description where/how this “bug” worked, curious as i am, i would have loved that Devs described in more details, “where, what and how” , i mean they could easy “close the gate” when it was “discovered” , so it should be pretty easy to explain in “plain common english” , instead of avoiding with “platitudes”
You never could, even before IoT. e.g. There is a common saying that “locks are for honest people”, nearly all of them are trivial to bypass.
3 Likes
To be fair, it’s not like I have an issue with Home Assistant or their way of handling the issues. Those vulnerabilities have been and will always happen. I think they handled it well, though the language used could have been more refined. A technical and non technical section since this project targets a vast audience of users.
It is a common practice to disclose vulnerabilities after they have been patched and the patched software rolled out for a certain period of time. There’s the window during which ‘everyone’ gets up to date and then the issue goes out for awareness.
Usually, companies pay those people and also form some sort of an NDA contract.
As it was discovered by an ethical hacker, it’s likely it was not exploited at all unless the details somehow made it into the dark net or was discovered and misused before the report.
Should it have been discovered any other way, that’s when it would be trouble for the majority of people who are port forwarding HASS on their router. It’s so easy to discover those instances. Those who keep their instances behind reverse proxies and wildcard certificates are in a bit more luck…
The scanner scripts would need to know the full domain name of the HASS instance to get through the reverse proxy (if not using a default backend)…
It’s an additional layer of security through obscurity. Does not prevent hackers from finding you, but it requires more effort. How to find the full domain name? Hmm, certificate transparency lists, links on the internet, guess work like ha.domain.com or hass.domain.com…
Since I found out about this issue I reconfigured my reverse proxy to actually terminate SSL and log every request instead of passing through the TLS tunnel directly to HASS. I also will no longer issue a certificate with a direct host name of the instance and instead wrap it under the wildcard…
1 Like
You could just use a vpn ( or vpn-service ) instead
Lol, there’s a middle ground somewhere between opening all your ports out of lazyness, completely oblivious to the danger and going full offgrid in a cabin in the woods 
As Tom said above, things like these are an unfortunate fact of life these days. You have to do a risk assessment for your own personal situation and work from there. Being a random collateral target of a drive-by infection versus being specifically targeted by a foreign nation-state actor, those two extremes will obviously require very different types of protection and risk management. Only you can know where you stand between those two scenarios.
You said you already reassessed your current setup and hardened your security. That’s the best approach you can take in a situation like this, if you ask me.
3 Likes
Is it possible that standard procedure to install a fresh install on a Raspberry Pi 4 has been affected by this patch? I don’t understand why my RPi4 blocks the installation process…
Home Assistant logo
Preparing Home Assistant
s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/udev.sh
[02:32:45] INFO: Using udev information from host
cont-init: info: /etc/cont-init.d/udev.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun supervisor (no readiness notification)
services-up: info: copying legacy longrun watchdog (no readiness notification)
s6-rc: info: service legacy-services successfully started
[02:32:46] INFO: Starting local supervisor watchdog...
23-03-14 02:32:52 INFO (MainThread) [__main__] Initializing Supervisor setup
23-03-14 02:32:52 INFO (MainThread) [supervisor.docker.network] Can't find Supervisor network, creating a new network
23-03-14 02:32:52 INFO (MainThread) [supervisor.bootstrap] Seting up coresys for machine: raspberrypi4-64
23-03-14 02:32:52 INFO (SyncWorker_0) [supervisor.docker.supervisor] Attaching to Supervisor ghcr.io/home-assistant/aarch64-hassio-supervisor with version 2022.12.1
23-03-14 02:32:52 INFO (SyncWorker_0) [supervisor.docker.supervisor] Connecting Supervisor to hassio-network
23-03-14 02:32:53 INFO (MainThread) [supervisor.resolution.evaluate] Starting system evaluation with state CoreState.INITIALIZE
23-03-14 02:32:53 INFO (MainThread) [supervisor.resolution.evaluate] System evaluation complete
23-03-14 02:32:53 INFO (MainThread) [__main__] Setting up Supervisor
23-03-14 02:32:53 INFO (MainThread) [supervisor.api] Starting API on 172.30.32.2
23-03-14 02:32:53 INFO (MainThread) [supervisor.hardware.monitor] Started Supervisor hardware monitor
23-03-14 02:32:53 INFO (MainThread) [supervisor.dbus.manager] Connected to system D-Bus.
23-03-14 02:32:53 INFO (MainThread) [supervisor.dbus.agent] Load dbus interface io.hass.os
23-03-14 02:32:53 INFO (MainThread) [supervisor.dbus.hostname] Load dbus interface org.freedesktop.hostname1
23-03-14 02:32:53 INFO (MainThread) [supervisor.dbus.logind] Load dbus interface org.freedesktop.login1
23-03-14 02:32:53 INFO (MainThread) [supervisor.dbus.network] Load dbus interface org.freedesktop.NetworkManager
23-03-14 02:32:53 INFO (MainThread) [supervisor.dbus.rauc] Load dbus interface de.pengutronix.rauc
23-03-14 02:32:53 INFO (MainThread) [supervisor.dbus.resolved] Load dbus interface org.freedesktop.resolve1
23-03-14 02:32:53 INFO (MainThread) [supervisor.dbus.systemd] Load dbus interface org.freedesktop.systemd1
23-03-14 02:32:53 INFO (MainThread) [supervisor.dbus.timedate] Load dbus interface org.freedesktop.timedate1
23-03-14 02:32:54 INFO (MainThread) [supervisor.host.services] Updating service information
23-03-14 02:32:54 INFO (MainThread) [supervisor.host.sound] Updating PulseAudio information
23-03-14 02:32:54 INFO (MainThread) [supervisor.host.network] Updating local network information
23-03-14 02:32:54 INFO (MainThread) [supervisor.host.apparmor] Loading AppArmor Profiles: {'hassio-supervisor'}
23-03-13 22:32:55 INFO (MainThread) [supervisor.docker.monitor] Started docker events monitor
23-03-13 22:32:55 INFO (SyncWorker_0) [supervisor.docker.interface] Found ghcr.io/home-assistant/aarch64-hassio-cli versions: [<AwesomeVersion CalVer '2022.11.0'>]
23-03-13 22:32:55 INFO (SyncWorker_0) [supervisor.docker.interface] Attaching to ghcr.io/home-assistant/aarch64-hassio-cli with version 2022.11.0
23-03-13 22:32:55 INFO (MainThread) [supervisor.plugins.cli] Starting CLI plugin
23-03-13 22:32:56 INFO (SyncWorker_0) [supervisor.docker.cli] Starting CLI ghcr.io/home-assistant/aarch64-hassio-cli with version 2022.11.0 - 172.30.32.5
23-03-13 22:32:56 INFO (SyncWorker_0) [supervisor.docker.interface] Found ghcr.io/home-assistant/aarch64-hassio-dns versions: [<AwesomeVersion CalVer '2022.04.1'>]
23-03-13 22:32:56 INFO (SyncWorker_0) [supervisor.docker.interface] Attaching to ghcr.io/home-assistant/aarch64-hassio-dns with version 2022.04.1
23-03-13 22:32:56 INFO (MainThread) [supervisor.plugins.dns] Starting CoreDNS plugin
23-03-13 22:32:58 INFO (SyncWorker_0) [supervisor.docker.dns] Starting DNS ghcr.io/home-assistant/aarch64-hassio-dns with version 2022.04.1 - 172.30.32.3
23-03-13 22:32:58 INFO (MainThread) [supervisor.plugins.dns] Updated /etc/resolv.conf
23-03-13 22:32:58 INFO (SyncWorker_0) [supervisor.docker.interface] Found ghcr.io/home-assistant/aarch64-hassio-audio versions: [<AwesomeVersion CalVer '2022.07.0'>]
23-03-13 22:32:58 INFO (SyncWorker_0) [supervisor.docker.interface] Attaching to ghcr.io/home-assistant/aarch64-hassio-audio with version 2022.07.0
23-03-13 22:32:58 INFO (MainThread) [supervisor.plugins.audio] Starting Audio plugin
23-03-13 22:33:00 INFO (SyncWorker_0) [supervisor.docker.audio] Starting Audio ghcr.io/home-assistant/aarch64-hassio-audio with version 2022.07.0 - 172.30.32.4
23-03-13 22:33:00 INFO (SyncWorker_0) [supervisor.docker.interface] Found ghcr.io/home-assistant/aarch64-hassio-observer versions: [<AwesomeVersion CalVer '2021.10.0'>]
23-03-13 22:33:00 INFO (SyncWorker_0) [supervisor.docker.interface] Attaching to ghcr.io/home-assistant/aarch64-hassio-observer with version 2021.10.0
23-03-13 22:33:00 INFO (MainThread) [supervisor.plugins.observer] Starting observer plugin
23-03-13 22:33:02 INFO (SyncWorker_0) [supervisor.docker.observer] Starting Observer ghcr.io/home-assistant/aarch64-hassio-observer with version 2021.10.0 - 172.30.32.6
23-03-13 22:33:02 INFO (SyncWorker_0) [supervisor.docker.interface] Found ghcr.io/home-assistant/aarch64-hassio-multicast versions: [<AwesomeVersion CalVer '2022.02.0'>]
23-03-13 22:33:02 INFO (SyncWorker_0) [supervisor.docker.interface] Attaching to ghcr.io/home-assistant/aarch64-hassio-multicast with version 2022.02.0
23-03-13 22:33:02 INFO (MainThread) [supervisor.plugins.multicast] Starting Multicast plugin
23-03-13 22:33:03 INFO (SyncWorker_0) [supervisor.docker.multicast] Starting Multicast ghcr.io/home-assistant/aarch64-hassio-multicast with version 2022.02.0 - Host
23-03-13 22:33:03 INFO (MainThread) [supervisor.updater] Fetching update data from https://version.home-assistant.io/stable.json
23-03-13 22:33:09 INFO (MainThread) [supervisor.homeassistant.secrets] Loaded 0 Home Assistant secrets
23-03-13 22:33:09 INFO (SyncWorker_0) [supervisor.docker.interface] No version found for ghcr.io/home-assistant/raspberrypi4-64-homeassistant
23-03-13 22:33:09 INFO (MainThread) [supervisor.homeassistant.core] No Home Assistant Docker image ghcr.io/home-assistant/raspberrypi4-64-homeassistant found.
23-03-13 22:33:09 INFO (SyncWorker_0) [supervisor.docker.interface] Attaching to ghcr.io/home-assistant/raspberrypi4-64-homeassistant with version landingpage
23-03-13 22:33:09 INFO (MainThread) [supervisor.homeassistant.core] Using preinstalled landingpage
23-03-13 22:33:09 INFO (MainThread) [supervisor.homeassistant.core] Starting HomeAssistant landingpage
23-03-13 22:33:09 INFO (MainThread) [supervisor.homeassistant.module] Update pulse/client.config: /data/tmp/homeassistant_pulse
23-03-13 22:33:10 INFO (SyncWorker_0) [supervisor.docker.homeassistant] Starting Home Assistant ghcr.io/home-assistant/raspberrypi4-64-homeassistant with version landingpage
23-03-13 22:33:10 INFO (MainThread) [supervisor.os.manager] Detect Home Assistant Operating System 9.5 / BootSlot A
23-03-13 22:33:10 INFO (MainThread) [supervisor.store.git] Cloning add-on https://github.com/hassio-addons/repository repository
23-03-13 22:33:10 INFO (MainThread) [supervisor.store.git] Cloning add-on https://github.com/esphome/home-assistant-addon repository
23-03-13 22:33:10 INFO (MainThread) [supervisor.store.git] Cloning add-on https://github.com/home-assistant/addons repository
23-03-13 22:33:15 ERROR (MainThread) [supervisor.store.git] Can't clone https://github.com/hassio-addons/repository repository: Cmd('git') failed due to: exit code(128)
cmdline: git clone -v --recursive --depth=1 --shallow-submodules https://github.com/hassio-addons/repository /data/addons/git/a0d7b954
stderr: 'Cloning into '/data/addons/git/a0d7b954'...
fatal: unable to access 'https://github.com/hassio-addons/repository/': Could not resolve host: github.com
'.
23-03-13 22:33:15 ERROR (MainThread) [supervisor.store] Can't retrieve data from https://github.com/hassio-addons/repository due to
23-03-13 22:33:15 INFO (MainThread) [supervisor.resolution.module] Create new suggestion SuggestionType.EXECUTE_REMOVE - ContextType.STORE / a0d7b954
23-03-13 22:33:15 INFO (MainThread) [supervisor.resolution.module] Create new issue IssueType.FATAL_ERROR - ContextType.STORE / a0d7b954
23-03-13 22:33:15 WARNING (SyncWorker_2) [supervisor.store.data] Can't read /data/addons/git/5c53de3b/esphome/config.yaml: Service esphome not found @ data['discovery'][0]. Got 'esphome'
23-03-13 22:33:15 WARNING (SyncWorker_2) [supervisor.store.data] Can't read /data/addons/git/5c53de3b/esphome-beta/config.yaml: Service esphome not found @ data['discovery'][0]. Got 'esphome'
23-03-13 22:33:15 WARNING (SyncWorker_2) [supervisor.store.data] Can't read /data/addons/git/5c53de3b/esphome-dev/config.yaml: Service esphome not found @ data['discovery'][0]. Got 'esphome'
23-03-13 22:33:15 INFO (MainThread) [supervisor.store] Loading add-ons from store: 24 all - 24 new - 0 remove
23-03-13 22:33:15 INFO (MainThread) [supervisor.addons] Found 0 installed add-ons
23-03-13 22:33:15 INFO (MainThread) [supervisor.backups.manager] Found 0 backup files
23-03-13 22:33:15 INFO (MainThread) [supervisor.discovery] Loaded 0 messages
23-03-13 22:33:15 INFO (MainThread) [supervisor.ingress] Loaded 0 ingress sessions
23-03-13 22:33:15 INFO (MainThread) [supervisor.resolution.check] Starting system checks with state CoreState.SETUP
23-03-13 22:33:15 INFO (MainThread) [supervisor.resolution.check] System checks complete
23-03-13 22:33:15 INFO (MainThread) [supervisor.resolution.evaluate] Starting system evaluation with state CoreState.SETUP
23-03-13 22:33:15 INFO (MainThread) [supervisor.resolution.evaluate] System evaluation complete
23-03-13 22:33:15 INFO (MainThread) [supervisor.jobs] 'ResolutionFixup.run_autofix' blocked from execution, system is not running - CoreState.SETUP
23-03-13 22:33:15 INFO (MainThread) [supervisor.resolution.evaluate] Starting system evaluation with state CoreState.SETUP
23-03-13 22:33:15 INFO (MainThread) [supervisor.resolution.evaluate] System evaluation complete
23-03-13 22:33:15 INFO (MainThread) [__main__] Running Supervisor
23-03-13 22:33:15 INFO (MainThread) [supervisor.os.manager] Rauc: A - marked slot kernel.0 as good
23-03-13 22:33:15 INFO (MainThread) [supervisor.supervisor] Fetching AppArmor profile https://version.home-assistant.io/apparmor.txt
23-03-13 22:33:17 INFO (MainThread) [supervisor.host.apparmor] Adding/updating AppArmor profile: hassio-supervisor
23-03-13 22:33:17 INFO (MainThread) [supervisor.supervisor] Update Supervisor to version 2023.03.1
23-03-13 22:33:17 INFO (SyncWorker_2) [supervisor.docker.interface] Downloading docker image ghcr.io/home-assistant/aarch64-hassio-supervisor with tag 2023.03.1.
23-03-13 22:39:32 ERROR (SyncWorker_2) [supervisor.docker.interface] Can't install ghcr.io/home-assistant/aarch64-hassio-supervisor:2023.03.1: 500 Server Error for http+docker://localhost/v1.41/images/create?tag=2023.03.1&fromImage=ghcr.io%2Fhome-assistant%2Faarch64-hassio-supervisor&platform=linux%2Farm64: Internal Server Error ("Get "https://ghcr.io/v2/": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)")
23-03-13 22:39:32 INFO (MainThread) [supervisor.resolution.module] Create new issue IssueType.UPDATE_FAILED - ContextType.SUPERVISOR / None
23-03-13 22:39:32 ERROR (MainThread) [supervisor.supervisor] Update of Supervisor failed: Can't install ghcr.io/home-assistant/aarch64-hassio-supervisor:2023.03.1: 500 Server Error for http+docker://localhost/v1.41/images/create?tag=2023.03.1&fromImage=ghcr.io%2Fhome-assistant%2Faarch64-hassio-supervisor&platform=linux%2Farm64: Internal Server Error ("Get "https://ghcr.io/v2/": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)")
23-03-13 22:39:32 CRITICAL (MainThread) [supervisor.core] Can't update Supervisor! This will break some Add-ons or affect future versions of Home Assistant!
23-03-13 22:39:32 INFO (MainThread) [supervisor.addons] Phase 'AddonStartup.INITIALIZE' starting 0 add-ons
23-03-13 22:39:32 INFO (MainThread) [supervisor.addons] Phase 'AddonStartup.SYSTEM' starting 0 add-ons
23-03-13 22:39:32 INFO (MainThread) [supervisor.addons] Phase 'AddonStartup.SERVICES' starting 0 add-ons
23-03-13 22:39:32 INFO (MainThread) [supervisor.core] Skiping start of Home Assistant
23-03-13 22:39:32 INFO (MainThread) [supervisor.addons] Phase 'AddonStartup.APPLICATION' starting 0 add-ons
23-03-13 22:39:32 INFO (MainThread) [supervisor.misc.tasks] All core tasks are scheduled
23-03-13 22:39:32 INFO (MainThread) [supervisor.core] Supervisor is up and running
23-03-13 22:39:32 INFO (MainThread) [supervisor.homeassistant.core] Home Assistant setup
23-03-13 22:39:32 INFO (MainThread) [supervisor.host.info] Updating local host information
23-03-13 22:39:32 INFO (MainThread) [supervisor.updater] Fetching update data from https://version.home-assistant.io/stable.json
23-03-13 22:39:32 INFO (MainThread) [supervisor.resolution.check] Starting system checks with state CoreState.RUNNING
23-03-13 22:39:32 INFO (MainThread) [supervisor.resolution.checks.base] Run check for IssueType.IPV4_CONNECTION_PROBLEM/ContextType.SYSTEM
23-03-13 22:39:32 INFO (MainThread) [supervisor.resolution.checks.base] Run check for IssueType.TRUST/ContextType.SUPERVISOR
23-03-13 22:39:32 INFO (SyncWorker_2) [supervisor.docker.interface] Updating image ghcr.io/home-assistant/raspberrypi4-64-homeassistant:landingpage to ghcr.io/home-assistant/raspberrypi4-64-homeassistant:2023.3.3
23-03-13 22:39:32 INFO (SyncWorker_2) [supervisor.docker.interface] Downloading docker image ghcr.io/home-assistant/raspberrypi4-64-homeassistant with tag 2023.3.3.
23-03-13 22:39:33 INFO (MainThread) [supervisor.host.services] Updating service information
23-03-13 22:39:33 INFO (MainThread) [supervisor.host.network] Updating local network information
23-03-13 22:39:33 INFO (MainThread) [supervisor.host.sound] Updating PulseAudio information
23-03-13 22:39:33 INFO (MainThread) [supervisor.host.manager] Host information reload completed
23-03-13 22:39:33 INFO (MainThread) [supervisor.resolution.checks.base] Run check for IssueType.DNS_SERVER_IPV6_ERROR/ContextType.DNS_SERVER
23-03-13 22:39:34 INFO (MainThread) [supervisor.resolution.checks.base] Run check for IssueType.FREE_SPACE/ContextType.SYSTEM
23-03-13 22:39:34 INFO (MainThread) [supervisor.resolution.checks.base] Run check for IssueType.SECURITY/ContextType.CORE
23-03-13 22:39:34 INFO (MainThread) [supervisor.resolution.checks.base] Run check for IssueType.NO_CURRENT_BACKUP/ContextType.SYSTEM
23-03-13 22:39:34 INFO (MainThread) [supervisor.resolution.module] Create new suggestion SuggestionType.CREATE_FULL_BACKUP - ContextType.SYSTEM / None
23-03-13 22:39:34 INFO (MainThread) [supervisor.resolution.module] Create new issue IssueType.NO_CURRENT_BACKUP - ContextType.SYSTEM / None
23-03-13 22:39:34 INFO (MainThread) [supervisor.resolution.checks.base] Run check for IssueType.DNS_SERVER_FAILED/ContextType.DNS_SERVER
23-03-13 22:39:34 INFO (MainThread) [supervisor.resolution.checks.base] Run check for IssueType.PWNED/ContextType.ADDON
23-03-13 22:39:34 INFO (MainThread) [supervisor.resolution.check] System checks complete
23-03-13 22:39:34 INFO (MainThread) [supervisor.resolution.evaluate] Starting system evaluation with state CoreState.RUNNING
23-03-13 22:39:35 INFO (MainThread) [supervisor.resolution.evaluate] System evaluation complete
23-03-13 22:39:35 INFO (MainThread) [supervisor.jobs] 'ResolutionFixup.run_autofix' blocked from execution, system is not healthy - supervisor
23-03-13 22:45:38 ERROR (SyncWorker_2) [supervisor.docker.interface] Can't install ghcr.io/home-assistant/raspberrypi4-64-homeassistant:2023.3.3: 500 Server Error for http+docker://localhost/v1.41/images/create?tag=2023.3.3&fromImage=ghcr.io%2Fhome-assistant%2Fraspberrypi4-64-homeassistant&platform=linux%2Farm64: Internal Server Error ("Get "https://ghcr.io/v2/": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)")
23-03-13 22:45:38 WARNING (MainThread) [supervisor.homeassistant.core] Error on Home Assistant installation. Retry in 30sec
23-03-13 22:46:08 INFO (SyncWorker_1) [supervisor.docker.interface] Updating image ghcr.io/home-assistant/raspberrypi4-64-homeassistant:landingpage to ghcr.io/home-assistant/raspberrypi4-64-homeassistant:2023.3.3
23-03-13 22:46:08 INFO (SyncWorker_1) [supervisor.docker.interface] Downloading docker image ghcr.io/home-assistant/raspberrypi4-64-homeassistant with tag 2023.3.3.
23-03-13 22:50:47 ERROR (SyncWorker_1) [supervisor.docker.interface] Can't install ghcr.io/home-assistant/raspberrypi4-64-homeassistant:2023.3.3: 500 Server Error for http+docker://localhost/v1.41/images/create?tag=2023.3.3&fromImage=ghcr.io%2Fhome-assistant%2Fraspberrypi4-64-homeassistant&platform=linux%2Farm64: Internal Server Error ("Get "https://ghcr.io/v2/home-assistant/raspberrypi4-64-homeassistant/manifests/sha256:f0d2db2dd30b41fe93f87d4efef9ea96be95838528d79d0503f53ee7e970ba5b": dial tcp 140.82.113.34:443: connect: no route to host")
23-03-13 22:50:47 WARNING (MainThread) [supervisor.homeassistant.core] Error on Home Assistant installation. Retry in 30sec
23-03-13 22:51:17 INFO (SyncWorker_2) [supervisor.docker.interface] Updating image ghcr.io/home-assistant/raspberrypi4-64-homeassistant:landingpage to ghcr.io/home-assistant/raspberrypi4-64-homeassistant:2023.3.3
23-03-13 22:51:17 INFO (SyncWorker_2) [supervisor.docker.interface] Downloading docker image ghcr.io/home-assistant/raspberrypi4-64-homeassistant with tag 2023.3.3.
23-03-13 22:54:07 ERROR (SyncWorker_2) [supervisor.docker.interface] Can't install ghcr.io/home-assistant/raspberrypi4-64-homeassistant:2023.3.3: 500 Server Error for http+docker://localhost/v1.41/images/create?tag=2023.3.3&fromImage=ghcr.io%2Fhome-assistant%2Fraspberrypi4-64-homeassistant&platform=linux%2Farm64: Internal Server Error ("Get "https://ghcr.io/v2/": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)")
23-03-13 22:54:07 WARNING (MainThread) [supervisor.homeassistant.core] Error on Home Assistant installation. Retry in 30sec
23-03-13 22:54:37 INFO (SyncWorker_1) [supervisor.docker.interface] Updating image ghcr.io/home-assistant/raspberrypi4-64-homeassistant:landingpage to ghcr.io/home-assistant/raspberrypi4-64-homeassistant:2023.3.3
23-03-13 22:54:37 INFO (SyncWorker_1) [supervisor.docker.interface] Downloading docker image ghcr.io/home-assistant/raspberrypi4-64-homeassistant with tag 2023.3.3.
23-03-13 22:57:00 ERROR (SyncWorker_1) [supervisor.docker.interface] Can't install ghcr.io/home-assistant/raspberrypi4-64-homeassistant:2023.3.3: 500 Server Error for http+docker://localhost/v1.41/images/create?tag=2023.3.3&fromImage=ghcr.io%2Fhome-assistant%2Fraspberrypi4-64-homeassistant&platform=linux%2Farm64: Internal Server Error ("Get "https://ghcr.io/v2/": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)")
23-03-13 22:57:00 WARNING (MainThread) [supervisor.homeassistant.core] Error on Home Assistant installation. Retry in 30sec
23-03-13 22:57:30 INFO (SyncWorker_0) [supervisor.docker.interface] Updating image ghcr.io/home-assistant/raspberrypi4-64-homeassistant:landingpage to ghcr.io/home-assistant/raspberrypi4-64-homeassistant:2023.3.3
23-03-13 22:57:30 INFO (SyncWorker_0) [supervisor.docker.interface] Downloading docker image ghcr.io/home-assistant/raspberrypi4-64-homeassistant with tag 2023.3.3.
s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/udev.sh
[02:59:40] INFO: Using udev information from host
cont-init: info: /etc/cont-init.d/udev.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun supervisor (no readiness notification)
services-up: info: copying legacy longrun watchdog (no readiness notification)
[02:59:40] INFO: Starting local supervisor watchdog...
s6-rc: info: service legacy-services successfully started
23-03-14 02:59:44 INFO (MainThread) [__main__] Initializing Supervisor setup
23-03-13 22:59:44 INFO (MainThread) [supervisor.bootstrap] Seting up coresys for machine: raspberrypi4-64
23-03-13 22:59:44 INFO (SyncWorker_0) [supervisor.docker.supervisor] Attaching to Supervisor ghcr.io/home-assistant/aarch64-hassio-supervisor with version 2022.12.1
23-03-13 22:59:44 INFO (MainThread) [supervisor.resolution.evaluate] Starting system evaluation with state CoreState.INITIALIZE
23-03-13 22:59:44 INFO (MainThread) [supervisor.resolution.evaluate] System evaluation complete
23-03-13 22:59:44 INFO (MainThread) [__main__] Setting up Supervisor
23-03-13 22:59:45 INFO (MainThread) [supervisor.api] Starting API on 172.30.32.2
23-03-13 22:59:45 INFO (MainThread) [supervisor.hardware.monitor] Started Supervisor hardware monitor
23-03-13 22:59:45 INFO (MainThread) [supervisor.dbus.manager] Connected to system D-Bus.
23-03-13 22:59:45 INFO (MainThread) [supervisor.dbus.agent] Load dbus interface io.hass.os
23-03-13 22:59:45 INFO (MainThread) [supervisor.dbus.hostname] Load dbus interface org.freedesktop.hostname1
23-03-13 22:59:45 INFO (MainThread) [supervisor.dbus.logind] Load dbus interface org.freedesktop.login1
23-03-13 22:59:45 INFO (MainThread) [supervisor.dbus.network] Load dbus interface org.freedesktop.NetworkManager
23-03-13 22:59:45 INFO (MainThread) [supervisor.dbus.rauc] Load dbus interface de.pengutronix.rauc
23-03-13 22:59:45 INFO (MainThread) [supervisor.dbus.resolved] Load dbus interface org.freedesktop.resolve1
23-03-13 22:59:45 INFO (MainThread) [supervisor.dbus.systemd] Load dbus interface org.freedesktop.systemd1
23-03-13 22:59:45 INFO (MainThread) [supervisor.dbus.timedate] Load dbus interface org.freedesktop.timedate1
23-03-13 22:59:45 INFO (MainThread) [supervisor.host.services] Updating service information
23-03-13 22:59:45 INFO (MainThread) [supervisor.host.sound] Updating PulseAudio information
23-03-13 22:59:46 INFO (MainThread) [supervisor.host.network] Updating local network information
23-03-13 22:59:46 INFO (MainThread) [supervisor.host.apparmor] Loading AppArmor Profiles: {'hassio-supervisor'}
23-03-13 22:59:46 INFO (MainThread) [supervisor.docker.monitor] Started docker events monitor
23-03-13 22:59:46 INFO (SyncWorker_0) [supervisor.docker.interface] Attaching to ghcr.io/home-assistant/aarch64-hassio-cli with version 2022.11.0
23-03-13 22:59:46 INFO (MainThread) [supervisor.plugins.cli] Starting CLI plugin
23-03-13 22:59:46 INFO (SyncWorker_0) [supervisor.docker.interface] Cleaning hassio_cli application
23-03-13 22:59:48 INFO (SyncWorker_0) [supervisor.docker.cli] Starting CLI ghcr.io/home-assistant/aarch64-hassio-cli with version 2022.11.0 - 172.30.32.5
23-03-13 22:59:48 INFO (SyncWorker_0) [supervisor.docker.interface] Attaching to ghcr.io/home-assistant/aarch64-hassio-dns with version 2022.04.1
23-03-13 22:59:48 INFO (MainThread) [supervisor.plugins.dns] Starting CoreDNS plugin
23-03-13 22:59:48 INFO (SyncWorker_0) [supervisor.docker.interface] Cleaning hassio_dns application
23-03-13 22:59:50 INFO (SyncWorker_0) [supervisor.docker.dns] Starting DNS ghcr.io/home-assistant/aarch64-hassio-dns with version 2022.04.1 - 172.30.32.3
23-03-13 22:59:50 INFO (MainThread) [supervisor.plugins.dns] Updated /etc/resolv.conf
23-03-13 22:59:50 INFO (SyncWorker_0) [supervisor.docker.interface] Attaching to ghcr.io/home-assistant/aarch64-hassio-audio with version 2022.07.0
23-03-13 22:59:50 INFO (MainThread) [supervisor.plugins.audio] Starting Audio plugin
23-03-13 22:59:50 INFO (SyncWorker_0) [supervisor.docker.interface] Cleaning hassio_audio application
23-03-13 22:59:51 INFO (SyncWorker_0) [supervisor.docker.audio] Starting Audio ghcr.io/home-assistant/aarch64-hassio-audio with version 2022.07.0 - 172.30.32.4
23-03-13 22:59:51 INFO (SyncWorker_0) [supervisor.docker.interface] Attaching to ghcr.io/home-assistant/aarch64-hassio-observer with version 2021.10.0
23-03-13 22:59:51 INFO (SyncWorker_0) [supervisor.docker.interface] Attaching to ghcr.io/home-assistant/aarch64-hassio-multicast with version 2022.02.0
23-03-13 22:59:51 INFO (MainThread) [supervisor.plugins.multicast] Starting Multicast plugin
23-03-13 22:59:51 INFO (SyncWorker_0) [supervisor.docker.interface] Cleaning hassio_multicast application
23-03-13 22:59:52 INFO (SyncWorker_0) [supervisor.docker.multicast] Starting Multicast ghcr.io/home-assistant/aarch64-hassio-multicast with version 2022.02.0 - Host
23-03-13 22:59:52 INFO (MainThread) [supervisor.updater] Fetching update data from https://version.home-assistant.io/stable.json
23-03-13 22:59:58 INFO (MainThread) [supervisor.homeassistant.secrets] Loaded 0 Home Assistant secrets
23-03-13 22:59:58 INFO (SyncWorker_1) [supervisor.docker.interface] Attaching to ghcr.io/home-assistant/raspberrypi4-64-homeassistant with version landingpage
23-03-13 22:59:58 INFO (MainThread) [supervisor.homeassistant.core] Starting HomeAssistant landingpage
23-03-13 22:59:58 WARNING (MainThread) [supervisor.homeassistant.core] Watchdog found Home Assistant failed, restarting...
23-03-13 22:59:58 INFO (MainThread) [supervisor.homeassistant.module] Update pulse/client.config: /data/tmp/homeassistant_pulse
23-03-13 22:59:58 INFO (SyncWorker_1) [supervisor.docker.interface] Cleaning homeassistant application
23-03-13 22:59:58 ERROR (MainThread) [supervisor.utils] Can't execute start while a task is in progress
23-03-13 22:59:59 INFO (SyncWorker_1) [supervisor.docker.homeassistant] Starting Home Assistant ghcr.io/home-assistant/raspberrypi4-64-homeassistant with version landingpage
23-03-13 22:59:59 INFO (MainThread) [supervisor.os.manager] Detect Home Assistant Operating System 9.5 / BootSlot A
23-03-13 22:59:59 WARNING (SyncWorker_0) [supervisor.store.data] Can't read /data/addons/git/5c53de3b/esphome/config.yaml: Service esphome not found @ data['discovery'][0]. Got 'esphome'
23-03-13 22:59:59 WARNING (SyncWorker_0) [supervisor.store.data] Can't read /data/addons/git/5c53de3b/esphome-beta/config.yaml: Service esphome not found @ data['discovery'][0]. Got 'esphome'
23-03-13 22:59:59 WARNING (SyncWorker_0) [supervisor.store.data] Can't read /data/addons/git/5c53de3b/esphome-dev/config.yaml: Service esphome not found @ data['discovery'][0]. Got 'esphome'
23-03-13 22:59:59 INFO (MainThread) [supervisor.store.git] Loading add-on /data/addons/core repository
23-03-13 22:59:59 INFO (MainThread) [supervisor.store.git] Cloning add-on https://github.com/hassio-addons/repository repository
23-03-13 22:59:59 INFO (MainThread) [supervisor.store.git] Loading add-on /data/addons/git/5c53de3b repository
23-03-13 23:00:01 WARNING (SyncWorker_2) [supervisor.store.data] Can't read /data/addons/git/5c53de3b/esphome/config.yaml: Service esphome not found @ data['discovery'][0]. Got 'esphome'
23-03-13 23:00:01 WARNING (SyncWorker_2) [supervisor.store.data] Can't read /data/addons/git/5c53de3b/esphome-beta/config.yaml: Service esphome not found @ data['discovery'][0]. Got 'esphome'
23-03-13 23:00:01 WARNING (SyncWorker_2) [supervisor.store.data] Can't read /data/addons/git/5c53de3b/esphome-dev/config.yaml: Service esphome not found @ data['discovery'][0]. Got 'esphome'
23-03-13 23:00:01 INFO (MainThread) [supervisor.store] Loading add-ons from store: 65 all - 65 new - 0 remove
23-03-13 23:00:01 INFO (MainThread) [supervisor.addons] Found 0 installed add-ons
23-03-13 23:00:01 INFO (MainThread) [supervisor.backups.manager] Found 0 backup files
23-03-13 23:00:01 INFO (MainThread) [supervisor.discovery] Loaded 0 messages
23-03-13 23:00:01 INFO (MainThread) [supervisor.ingress] Loaded 0 ingress sessions
23-03-13 23:00:01 INFO (MainThread) [supervisor.resolution.check] Starting system checks with state CoreState.SETUP
23-03-13 23:00:01 INFO (MainThread) [supervisor.resolution.check] System checks complete
23-03-13 23:00:01 INFO (MainThread) [supervisor.resolution.evaluate] Starting system evaluation with state CoreState.SETUP
23-03-13 23:00:01 INFO (MainThread) [supervisor.resolution.evaluate] System evaluation complete
23-03-13 23:00:01 INFO (MainThread) [supervisor.jobs] 'ResolutionFixup.run_autofix' blocked from execution, system is not running - CoreState.SETUP
23-03-13 23:00:01 INFO (MainThread) [supervisor.resolution.evaluate] Starting system evaluation with state CoreState.SETUP
23-03-13 23:00:01 INFO (MainThread) [supervisor.resolution.evaluate] System evaluation complete
23-03-13 23:00:01 INFO (MainThread) [__main__] Running Supervisor
23-03-13 23:00:01 INFO (MainThread) [supervisor.os.manager] Rauc: A - marked slot kernel.0 as good
23-03-13 23:00:01 INFO (MainThread) [supervisor.supervisor] Fetching AppArmor profile https://version.home-assistant.io/apparmor.txt
23-03-13 23:00:02 INFO (MainThread) [supervisor.host.apparmor] Adding/updating AppArmor profile: hassio-supervisor
23-03-13 23:00:02 INFO (MainThread) [supervisor.supervisor] Update Supervisor to version 2023.03.1
23-03-13 23:00:02 INFO (SyncWorker_2) [supervisor.docker.interface] Downloading docker image ghcr.io/home-assistant/aarch64-hassio-supervisor with tag 2023.03.1.
23-03-13 23:06:18 ERROR (SyncWorker_2) [supervisor.docker.interface] Can't install ghcr.io/home-assistant/aarch64-hassio-supervisor:2023.03.1: 500 Server Error for http+docker://localhost/v1.41/images/create?tag=2023.03.1&fromImage=ghcr.io%2Fhome-assistant%2Faarch64-hassio-supervisor&platform=linux%2Farm64: Internal Server Error ("Get "https://ghcr.io/v2/": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)")
23-03-13 23:06:18 INFO (MainThread) [supervisor.resolution.module] Create new issue IssueType.UPDATE_FAILED - ContextType.SUPERVISOR / None
23-03-13 23:06:18 ERROR (MainThread) [supervisor.supervisor] Update of Supervisor failed: Can't install ghcr.io/home-assistant/aarch64-hassio-supervisor:2023.03.1: 500 Server Error for http+docker://localhost/v1.41/images/create?tag=2023.03.1&fromImage=ghcr.io%2Fhome-assistant%2Faarch64-hassio-supervisor&platform=linux%2Farm64: Internal Server Error ("Get "https://ghcr.io/v2/": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)")
23-03-13 23:06:18 CRITICAL (MainThread) [supervisor.core] Can't update Supervisor! This will break some Add-ons or affect future versions of Home Assistant!
23-03-13 23:06:18 INFO (MainThread) [supervisor.addons] Phase 'AddonStartup.INITIALIZE' starting 0 add-ons
23-03-13 23:06:18 INFO (MainThread) [supervisor.addons] Phase 'AddonStartup.SYSTEM' starting 0 add-ons
23-03-13 23:06:18 INFO (MainThread) [supervisor.addons] Phase 'AddonStartup.SERVICES' starting 0 add-ons
(this can take up to 20 minutes)
You have a DNS or networking problem. Please start a fresh topic with your problem.
Disconnect all network cables, shutdown you wireless networks, turn off your router, turn off all power relays, remove batteries from all your devices, put your phone on fire and after a few days you probably will be safe… Or maybe not… You still having doors and windows at home right?
2 Likes
To rule out any malicious modifications to HA while this vulnerability was active, are there any tools already built to validate homeassistant os files, directories etc?
E.g. hypothetically if someone did get in and leave something for later? Modify/add code to tunnel out etc.
(Other than reinstalling from scratch / fresh image and manually reconfiguring integrations / copying over yaml, Migrating zwave devices etc (30 devices won’t be fun…))
A script could go though the entire SD card and compare each folder / file / size / to what it should be / a clean install. Anyone done anything like this yet?
1 Like
For HAOS that should be do-able, but any method that uses Docker should be (mostly) a case of checking the container hashes match what’s on the central registry. A simple reboot ensures that any live changes to a container are thrown away.
If all of those agree then the only other thing to do is to verify the OS - for HAOS the OS is replaced when you upgrade anyway so an OS upgrade is an easy step to take.
For anybody running Supervised it’ll be a little harder, but you can use tools like dpkg to verify the installed files against the package manifest, or use this approach.
The other option of course is to take a backup and restore it on a fresh install.
Any suggestions how I might get around this?
ha supervisor update
Processing… Done.Error: Update of Supervisor failed: Can’t install ghcr.io/home-assistant/amd64-hassio-supervisor:2023.03.1: 500 Server Error for http+docker://localhost/v1.41/images/create?tag=2023.03.1&fromImage=ghcr.io%2Fhome-assistant%2Famd64-hassio-supervisor&platform=linux%2Famd64: Internal Server Error (“Get “https://ghcr.io/v2/”: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)”)
My installation is currently at:
Home Assistant 2023.1.7
Supervisor 2023.01.1
Operating System 9.4
Frontend 20230110.0 - latest
From what I can tell, it isn’t a DNS problem.
Update: I was unable to apply any updates to Home Assistant in February too. So I just now restored the host to an earlier image, which reverted Home Assistant to:
Home Assistant 2022.12.9
Supervisor 2022.12.1
Operating System 9.4
Frontend 20221213.1
But attempting to update brought the same error as above, which is strange, since I’d been able to update to 2023.1.7 in January!?!
The logs for the reverted version also contained the following:
homeassistant.components.hassio.handler.HassioAPIError: ‘HomeAssistantCore.update’ blocked from execution, no host internet connection
Weird, as anything external I manually attempt to reach from the HA cli works…via IPv4.
ping ghcr.io
PING ghcr.io (140.82.113.33): 56 data bytes
64 bytes from 140.82.113.33: seq=0 ttl=47 time=38.816 ms
64 bytes from 140.82.113.33: seq=1 ttl=47 time=40.445 ms
I have IPv6 disabled in HA and I’m pretty sure it’s blocked on my network. Could that be the problem, might the updater have been restricted to IPv6 since February?
I got to core-2023.3.4 supervisor-2023.03.1 Home Assistant OS 9.5 without IPv6 being enabled on my network nor HA. So I don’t think IPv4-only is your problem.