@frenck To mitigate such issues in the first place - Support for client certificates would be awesome. Only reason holding back this is the lack of support in the android app. Is something like that being planned? Similar technology is used by the DavX5 App (also open-source), which might be a good example to implement something.
This would mean that only trusted devices, having such a client certificate would have access to the HA instance.
The server instance would not require direct support as the validation and check of the certificate can be achived via a web server like nginx or apache in front of it.
I must admit Iâm pretty disappointed, the community has been asking for Open letter for improving Home Assistant's Authentication system (OIDC, SSO) - #40 by pjcarly for a long time. This would allow people to put solutions like oauth proxy in front of HA, completely sealing it out from anonymous access but the maintainers donât want to deal with it - theyâd rather rely on their own auth provider implementation which is, in my opinion, not the way forward opening doors to issues like this.
I appreciate the update, how promptly the information was released once the patch was available.
I received the 2023.03.1 patch last night and the post this morning.
For those who are still wondering (English is not my first language)
Do I run
Home Assistant OS, or
Home Assistant Supervised?
and
Can I reach my Home Assistant from the Internet without a VPN?
If yes, I was effected.
(This can can quite nuanced how connectivity is established.)
- - -
Am I at least on Supervisor 2023.03.1(seen on the Settings â About page)?
If yes, the vulnerability is patched.
(I do not believe at time of writing there is a later version than 2023.03.1, but marking it as âat leastâ for future.)
I disagree, but that is just my opinion. The âIgnoreâ is not the best word, should be âAcknowledgedâ, but updates of this caliber in my opinion should stay up until explicitly acknowledged.
Maybe a config option to auto-acknowledge critical updates?
and Id hate to click Ignore (NEGEER) here. My system had already been updated, so shouldnât there at least be a Fix button, or, preferably even, âyour system has already been fixedâ ?
Yes and No. There can always be vulnerabilities without anyone knowing untill someone finds out. If you lookup windows vulnerabilities you get a whole lists of issues that lived longer than 9 years. Some vulnerabilities are not so much of checking if someone is logged on or not. Some vulnerabilities go way deaper⌠I would say lookup Meltdown & Spectre https://meltdownattack.com/.
So yeah always be sceptical and stay up-to-date with the latest version
This is a very big deal. Since your backups could be downloaded, everything contained in Home Assistant is compromisedâŚ
To enumerate some possible issues that we, as Home Assistant users, may need to remediate:
All HA user accounts need their passwords changed, especially administrators.
If you are using an SSL certificate, you will need to reissue and replace that certificate as the private key is now compromised.
If you are using ESPHome, you will need to change the password for the wireless network your ESPHome devices were on, as that password is in the secrets.yaml for ESPHome.
If you are sending email notifications, you will need to change the email password for the account that you are using to send.
If you are using the RClone add-on, you will need to change the credentials for the storage target you configured.
If you are using MQTT, you will need to change your MQTT passwords.
There is not much technical to talk about, if you have one of the listed installation types you have been vulnerable, as described in âabout the issueâ section as well.
That should have been the case, the vulnerability discovered managed to access it nevertheless.
Sorry to hear you feel that way, but that is the honest answer: We donât know.
Home Assistant is something you self host, we have no idea insight into anyoneâs system so we honestly donât know.
There is none. Even if there was, this issue has been around since 2017 (as also written in the post). Unless you have recorded every single request made against your instance and kept records or those since then, you wouldnât be able to tell. Even if then⌠it would be guessing.
this gives an attacker access to install Home Assistant updates and manage add-ons and backups
So yes, that is possible.
In general, with any security incident that involves any of your used software or services, it is best practice to cycle any used credentials with such a service. IMHO, this is no exception.
Iâm sure more details will become available later, however, the goal right now is to inform, create awareness and above all, give people the opportunity to ensure they are protected.
Yes. This has been answered above a couple of times as well. Home Assistant Cloud is end-to-end encrypted, meaning even Nabu Casa canât do anything to step bad vectors to go through (as all they see encrypted data⌠#privacy).
This is my bad, Iâve made a typo in the version number of the alert. The error is corrected and the alert should disappear if your system is protected.
Just want to chime in that its possible (if one trusts Cloudflare and Google oauth) to get the best of both worldsâexposing minimal apis to the internet (ex: google assistant integration) while requiring additional authentication for all others.
Setup Cloudflare Zero Trust (with identity provider of your choice) and add a exclusion for the apis you want to expose.
Thanks to the Home Assistant team for the disclosure and auto-update of a serious security issue!
