Disclosure: Supervisor security vulnerability

crzynik · April 11, 2023, 5:50pm

that’s not really accurate though. If someone was trying to target you specifically and they knew your location, unless you are using a VPN then they would not need to try all ip addresses since of course ip addresses are based on location

boheme61 · April 11, 2023, 5:56pm

you are about 1000km of track here( meaning you are wrong in your thoughts/believes) business is global, or at least in this case “local” within country borders — othervice , Country is the most specific you’ll get in most cases
… and im speaking of my "landline# fiberconnection … My CellPhone operator places me in southern part of the country

KennethLavrsen · April 11, 2023, 6:01pm

If they target me?

Easy. lavrsen.dk

Knock yourself out

What I mean is - when a vulnerability is discovered in a specific software, then it makes a difference if you have to scan the entire Internet to find 10000 users that have it exposed to the Internet versus being able to download a list of the 10000. Eventually they will find you, but it gives most users some days to patch the software and those days or weeks are essential.

boheme61 · April 11, 2023, 6:13pm

Which is why the majority of the world by now knows very well that they always have to look over their security, AND in specific their passwords "algoritm# … Windows users, and now a days ALL people running around with their phone-no-pin.code-ready to answer to blibs and pings, … i know, well i guess you don’t run around with a mobile phone, with no pin-code, and full access to your bank, home, insurances etc. etc. … thinking ahhh i always have my phone on me, noone ever get access to this, without i see it (i never leave it out of my sight) …

bkprath · April 11, 2023, 8:24pm

While scam might be a bad choice of words, I can’t describe how disappointed I am in this implementation. If they had used a wildcard cert all the URLs would not have been exposed. Now can you take security serious and use an implementation that exposes all clients daily. I only switched to using nabu casa because it was supposed to help fund ha. It seems I made a bad assumption about security and should have stuck with my VPN. Now I have a major problem. I have no way to know if my HA was compromised. In the event it was, then their is a possibility that all other network connected devices on my network have been compromised. So wifi switches, esp devices, tvs, and other IOT devices could all now be hooked.
Does anyone have clear instructions on how to export just configuration data from HA in a fashion that can be reviewed and then reloaded in some fashion on a clean HA install? I know I could grab the .yaml files but this doesn’t include configuration for things like my zigbee network. Any additional recommendation for watching my IOT devices for indication of compromise would also be appreciated.

HeyImAlex · April 11, 2023, 11:17pm

This Supervisor vulnerability completely bypassed authentication. Your password is irrelevant in this case. You only needed to know the URL.

This vulnerability was absolutely catastrophic. Pretty much the worst case scenario for security. I hope that the appropriate consequences will be taken with respect to how this part of HA is managed and audited in the future. Considering how this vulnerability has gone undiscovered for years and how far reaching the access it granted was. And especially considering the past high horse we-know-better attitude the Supervisor devs displayed towards users and their supposed bad security practices (see the whole pwnd password thing). HA needs to be professionally pen tested. I know this is expensive. But who knows what else lingers below the surface.

That said, the Nabu Casa URL exposure thing is different. That’s how non-wildcard certs work for subdomains, for better or for worse. The random URLs are just security theater. Afaik NC never advertised it as a security feature, but a lot of third party online resources did, adding to the confusion. So it’s perfectly understandable that many people thought it would increase security. You can still pay for an NC subscriptions as a way to help HA development. But on the technical side, there are much better solutions for a secure HA access (VPN, secure tunnels, limiting IP ranges, port knocking, etc).

That was a conscious decision on their part. With a wildcard cert they could intercept all customer traffic, which is problematic. They did not want to go that way. It’s a tradeoff.

bkprath · April 12, 2023, 1:02am

Yes, every computer in my house has to be viewed as possibly compromised. Computers used to do online banking, etc. I can barely stand to think about the exposure this vulnerability potentially caused for every nabu casa customer. Errrrrr.

Once again if anyone has a good suggestion on how to approach addressing this security issue (possibly multiple compromised machines) across my home network I’d love to hear some input. I’m thinking I need to segregate my home network now between important machines and IOT/entertaminment/HA machines. I’ll probably need to start by reloading any important machine with personal information after I’ve created a new LAN segment to support them. I’ll need to set up two wifi networks, one for each side. Lots of work.

PecosKidd · April 12, 2023, 1:04am

Nuke it from orbit, it’s the only way to be sure.

bkprath · April 12, 2023, 1:25am

These words are pulled directly from the cloud page on the home assistant interface

“Integrations for Home Assistant Cloud allow you to connect with services in the cloud without having to expose your Home Assistant instance publicly on the internet.”

Seems to imply that using nabu casa never exposed your instance publicly on the internet, as nabu casa is an integration.

I guess what’s done is done, I better get busy with the Nukes.

bkprath · April 12, 2023, 1:34am

@petro @tom_l

The HA cloud web page states

“Integrations for Home Assistant Cloud allow you to connect with services in the cloud without having to expose your Home Assistant instance publicly on the internet.”

This seems to imply to me that nabu casa doesn’t directly expose my instance publicly on the internet.

tom_l · April 12, 2023, 2:08am

Where exactly does it say that?

bkprath · April 12, 2023, 2:57am

Setting → Home assistant cloud

tom_l · April 12, 2023, 3:01am

without having to expose your Home Assistant instance publicly on the internet.

End to end encryption is pretty far from “publicly”, but I see your point. Poor wording.

cogneato · April 13, 2023, 2:41pm

I assume this refers to Alexa and Google (the two integrations provided). Remote access does not need to be enabled in order for those to function.

bkprath · April 13, 2023, 4:39pm

It might refer to those, but cloud is also an integration that is part of the default HA configuration.

Mariusthvdb · April 26, 2023, 6:39am

getting a notification every now and then in this topic, I keep hoping for some NabuCasa contribution here.
We’ve kept calm for some time, to give the NC team time to take appropriate action, and organize their armors against these kind of vulnerabilities, but given the ongoing release cycle I would expect this to get some more official response now?

as Alex states above:

This warrants a formal response imho.

klogg · April 26, 2023, 2:03pm

My observations over the last five or so years forces me to respond with, “good luck waiting for that”.

tom_l · April 26, 2023, 4:19pm

Mine says ‘hyperbole’.

No actual intrusion examples, instant patch.

Not personally perturbed in the slightest.

YMMD.

klogg · April 27, 2023, 11:24am

I don’t agree, this was/is a serious matter.

True, and insomuch as it is true, is comforting.

That’s fine and I suspect that most have to some extent shrugged and moved on. Especially as we have little or no choice now.

However, be that all as it may, I do think that some kind of reflective announcement should have been forthcoming from the commercial (and responsible) arm of this project.

tom_l · April 27, 2023, 1:05pm

Yes serious, but not “catastrophic”.