“A fix for this security issue has been rolled out to all affected Home Assistant users via the Supervisor auto-update system and this issue is no longer present.”
Home assistant can automatically be updated remotely by the team?? It seems I already have the patch but don’t remember updating supervisor within the last month. I thought all updates are user opt-in? Thanks to the teams quick action on this exploit, but I’m not overly keen to have a system that automatically updates without the owners knowledge.
You can verify that you received the update on the Home Assistant About page and verify that you are running Supervisor 2023.03.1 or later. If you do not see a Supervisor version on your About page, you do not use one of the affected installation types and have not been vulnerable.
The issue has also been mitigated in Home Assistant 2023.3.0. This version was released on March 1 and has since been installed by 33% of our users.
It was clearly answered to you in the first words. What is not clear about that?
It means that all communication is 1-to-1, as it is end-to-end encrypted. There is nothing done with communication from the internet to your instance. As it is end-to-end encrypted, meaning nothing can be seen, read, filtered, or modified along the way.
If you run Home Assistant OS or Home Assistant Supervised, you have been affected by the vulnerability disclosed in this announcement.
Question about the event itself in HA. I have a dashboard for software updates and events, is there an entity for this “Security Disclosure”, so that I can have a conditial card to show it when a next event occurs?
Can you please provide some additional information regarding this vulnerability, as neither the associated GitHub nor the Mitre CVE pages seem to have the details of the potential attack vector, which are necessary to perform forensic analysis on whether one’s instance has been exploited?
I think this would also help to dispel confusion seen in this thread.
If the above is the case, I’d reword the statement to avoid spreading panic throughout the community as it is a serious one, with the supervisor API giving an attacker opportunities to compromise the entire HA instance and credentials to everything it was integrated with and if so, I (and pretty much everyone here) would like to know so that we can act.
Answer to HAS THIS VULNERABILITY BEEN ABUSED? is ridiculous, please provide more details to allow users to determine if they could have been compromised - even if it’s just a hint to review logs of ingress controllers for access to a specific path like /api/supervisor or something…
Quick question: Shouldn’t the warning message automatically disappear after the update? I have now made the update 2023.03.1, but the repair/warning message still appears. Even after a reboot of the host.
Home Assistant 2023.3.1
Operating System 9.5
To be fair, the rapid fix and transparent, public disclosure for this defect is exactly why I use Home Assistant and am far more comfortable exposing it to the internet than I would be about pretty much any other internet-connected device that I have in my infrastructure.
All software has defects, some of those defects will impact security, and a few will be serious. I don’t judge software by whether or not it has defects, but by how those defects are handled when they are found.