Disclosure: Supervisor security vulnerability

@frenck To mitigate such issues in the first place - Support for client certificates would be awesome. Only reason holding back this is the lack of support in the android app. Is something like that being planned? Similar technology is used by the DavX5 App (also open-source), which might be a good example to implement something.

This would mean that only trusted devices, having such a client certificate would have access to the HA instance.
The server instance would not require direct support as the validation and check of the certificate can be achived via a web server like nginx or apache in front of it.

1 Like

I must admit I’m pretty disappointed, the community has been asking for Open letter for improving Home Assistant's Authentication system (OIDC, SSO) - #40 by pjcarly for a long time. This would allow people to put solutions like oauth proxy in front of HA, completely sealing it out from anonymous access but the maintainers don’t want to deal with it - they’d rather rely on their own auth provider implementation which is, in my opinion, not the way forward opening doors to issues like this.

14 Likes

I appreciate the update, how promptly the information was released once the patch was available.
I received the 2023.03.1 patch last night and the post this morning.

For those who are still wondering (English is not my first language)

Do I run

  • Home Assistant OS, or
  • Home Assistant Supervised?

and

Can I reach my Home Assistant from the Internet without a VPN?
If yes, I was effected.
(This can can quite nuanced how connectivity is established.)

- - -

Am I at least on Supervisor 2023.03.1(seen on the Settings → About page)?
If yes, the vulnerability is patched.

(I do not believe at time of writing there is a later version than 2023.03.1, but marking it as “at least” for future.)

Correct me if I am wrong.

2 Likes

Am I the only one who finds this a bit scary? Should I?

“Our analysis shows that this issue has been in Home Assistant since the introduction of the Supervisor in 2017.”

6 Likes

I disagree, but that is just my opinion. The “Ignore” is not the best word, should be “Acknowledged”, but updates of this caliber in my opinion should stay up until explicitly acknowledged.

Maybe a config option to auto-acknowledge critical updates? :clown_face:

2 Likes

seeing this in the repairs section

and Id hate to click Ignore (NEGEER) here. My system had already been updated, so shouldn’t there at least be a Fix button, or, preferably even, ‘your system has already been fixed’ ?

Ignore seems the wrong choice of words

3 Likes

Yes and No. There can always be vulnerabilities without anyone knowing untill someone finds out. If you lookup windows vulnerabilities you get a whole lists of issues that lived longer than 9 years. Some vulnerabilities are not so much of checking if someone is logged on or not. Some vulnerabilities go way deaper… I would say lookup Meltdown & Spectre https://meltdownattack.com/.

So yeah always be sceptical and stay up-to-date with the latest version

Why does need supervisor API be exposed externally?

1 Like

This is a very big deal. Since your backups could be downloaded, everything contained in Home Assistant is compromised…

To enumerate some possible issues that we, as Home Assistant users, may need to remediate:

All HA user accounts need their passwords changed, especially administrators.

If you are using an SSL certificate, you will need to reissue and replace that certificate as the private key is now compromised.

If you are using ESPHome, you will need to change the password for the wireless network your ESPHome devices were on, as that password is in the secrets.yaml for ESPHome.

If you are sending email notifications, you will need to change the email password for the account that you are using to send.

If you are using the RClone add-on, you will need to change the credentials for the storage target you configured.

If you are using MQTT, you will need to change your MQTT passwords.

That’s just off the top of my head.

There is not much technical to talk about, if you have one of the listed installation types you have been vulnerable, as described in “about the issue” section as well.

That should have been the case, the vulnerability discovered managed to access it nevertheless.

Sorry to hear you feel that way, but that is the honest answer: We don’t know.
Home Assistant is something you self host, we have no idea insight into anyone’s system so we honestly don’t know.

There is none. Even if there was, this issue has been around since 2017 (as also written in the post). Unless you have recorded every single request made against your instance and kept records or those since then, you wouldn’t be able to tell. Even if then… it would be guessing.

7 Likes

As the blog post writes:

this gives an attacker access to install Home Assistant updates and manage add-ons and backups

So yes, that is possible.

In general, with any security incident that involves any of your used software or services, it is best practice to cycle any used credentials with such a service. IMHO, this is no exception.

3 Likes

I’m sure more details will become available later, however, the goal right now is to inform, create awareness and above all, give people the opportunity to ensure they are protected.

This is not an uncommon practice in CVE handling.

4 Likes

Truth be told, passwords should be changed periodically no matter what, but most people don’t want to be bothered to do so.

2 Likes

Yes. This has been answered above a couple of times as well. Home Assistant Cloud is end-to-end encrypted, meaning even Nabu Casa can’t do anything to step bad vectors to go through (as all they see encrypted data… #privacy).

This is my bad, I’ve made a typo in the version number of the alert. The error is corrected and the alert should disappear if your system is protected.

Sorry about that :pray:

…/Frenck

7 Likes

It isn’t. That was, unfortunately, part of the issue.

1 Like

Anyone know if this effects websocket api?

Exactly, but the vulnerability may have also allowed access to the local network - which is even more critical in my eyes.

Just want to chime in that its possible (if one trusts Cloudflare and Google oauth) to get the best of both worlds–exposing minimal apis to the internet (ex: google assistant integration) while requiring additional authentication for all others.

Setup Cloudflare Zero Trust (with identity provider of your choice) and add a exclusion for the apis you want to expose.

Thanks to the Home Assistant team for the disclosure and auto-update of a serious security issue!

1 Like

A post was split to a new topic: Updated to 2023.3.x and hue lights are having issues