Not sure if it’s due to the global nature of the community but some of the responses towards other users are quite condescending and in some cases outright rude - it really does put people off asking questions which is the fundamental reason for a community existing.
tbh, I dont have any idea whether this is the case.
Running my HA on OS, I presume if it were advisable to do so, a message with that suggestion would have been issued and shown in the repairs section?
Currently I am in deep faith of the Nabu Casa dev team, instructing us to do what might be required to stay safe.
Since no warning of any kind whatsoever, other than updating Supervisor was issued, I take it thats all we need to do.
We could do a whole lot of other things too, but if there’s no need…?
An often-overlooked hardening against unknown vulnerabilities in externally exposed services is to implement port-knocking.
Exaggerating a bit by using “All” ?
I have a Core Installation and my HA is only accessible from outside my LAN using my VPN, ESPHome resides on a separate development server… so it’s a least All - 1
Of course this is still serious, but I was always surprised how many users with very little knowledge about networking and security ( based on the questions they were asking) happily exposed their HA installation with DuckDNS ( or any other DDNS-provider) and setting up port forwarding on the routers…
just my 2 cents
Armin
@frenck, I appreciate you taking the time to respond. Having spent more than a decade and a half in cybersecurity and related fields, may I please make a suggestion? I would suggest that given the majority of the HA user base does not have the background necessary to make this determination, that you provide a follow-up with “best practices” list of steps to perform as a result of this finding.
For example, as you saw in a question you responded to, earlier in this thread, it’s not clear to all that credentials might have been compromised and are suggested be rotated. In general, I don’t believe most of the HA users would know the full gamut of what is and isn’t possible with access to the API, or know how to find and interpret the API documentation. As such, these folks will not know exactly what had the potential to be compromised. Specifically, would be nice to let the users know, in understandable terms, whether their credentials to third-party services were vulnerable, whether input into HA using the GUI, or by being stored in their secrets file, etc.
Since, as you mention, " the goal right now is to inform, create awareness and above all, give people the opportunity to ensure they are protected", it’s important to provide the users with answers to questions they might not even know they need to ask, such as - “Could a a malicious actor, having exploited this vulnerability, potentially have access to my Google Drive, if I set up the third-party Google Drive Backup add-on?”. I full well understand the HA team has no responsibility to secure third-party add-ons, yet I’d bet a good portion of the user base could really use a hand in better understanding the impact and how to react.
All of the above aside, I once again want to express appreciation and applaud the team for jumping on this to remedy the issue, as well as informing the user base of its existence.
If I understand it correctly there will most probably be more detailed information available later. This first announcement is mainly to inform people that something happened and alert them to be vigilant:
For those that are able to asses the situation themselves this is important and they can act immediately. For those who are not they should probably wait for more info
As was mentioned by more people, including Frenck, in case of every potential breach the smartest thing to do is to rotate the secrets once you are patched. Especially if it is not clear whether or what might have been stolen by the attackers.
To put it simple: “If you are unsure, rotate secrets”
Rotating secrets is harmless and it is actually a good practice even without any breach so why even think about it?
OK, to be precise, all accounts on an HA install that was affected by this vulnerability. ESPHome if you were using the HA add on/integration, not your own.
A little out of topic, but just heads-up: DuckDNS is apparently experiencing issues ATM (not resolving domains). I’ve noticed that my Google Assistant integration is reporting error 500.
Ok, but using Nabu Casa an attacker had to know the exact full Nabu Casa address assigned to our account. That’s far far less likely that a port forwarding port, that could be found by a simply port scanning, right?
So the possibility of a real use of this vulnerability is far less likely with Nabu Casa, can we say that?
Although it might be the only viable course of action, rotating credentials is anything but harmless. Depending on the system and processes in place and the number of credentials impacted, it can be rather disruptive to operations.
That would be my take from the info provided so far
Slightly overwhelming i would say , thou i have no “secrets” to rotate, as i don’t expose HA through either Nabu Casa, or Port-forwarding, and i have used various passwords(direct) i the different integrations, However, i have some of the various IP devices accessible through Mobile Apps, as well as Google-Home ( All these Devices are a part of my HA environment, with “plain-text” config-files) Yep !, that has bothered my mind, so maybe this “issue” should make me “reconsider” … Not that i see how another -plain-text-file, with !secrets should make a big different
Thanks for your response.
As with any security issue, one might experience with any service or software one is using, IMHO one should rotate all credentials.
As a matter of fact, even when not affected by anything at all, one should regularly rotate all credentials on any service or platform (not limited by Home Assistant, but everything).
“Could a a malicious actor, having exploited this vulnerability, potentially have access to my Google Drive, if I set up the third-party Google Drive Backup add-on?”
Yes, this is also written in the blog post: “This gives an attacker access to install Home Assistant updates and manage add-ons and backups.”
IMHO, there is no difference.
It is like saying: I was safe because no one could guess my custom hostname hahahahyou-never-guess-this-so-i-am-safe.mydomain.com
or “Nobody guesses my IP address” Which of course is not correct.
Your comment on port scanning has not much to do with this.
If any of the words used ofended you in any way apologies.
Internet is more constructive if we assume the best of the messages and not the worst.
Examples: ‘Surprised’ as in February had no supervisor release. ‘First CVE’ question because it did seem like that (which I wan’t to believe is a good thing given how long HA is been around).
I am a bit confused here. Rotating credentials is something you should do regularly especially if you expose something to the internet.
Yes, it involves a non-trivial amount of work, but it shouldn’t be harmful or disruptive
Be advised that it’s fairly easy to get a list of any site’s subdomains, including Nabu Casa, using readily available tools.
Example
Is there proof that this vulnerability is exploited? Or did someone found this zeroday and informed the ha team of it? There are zero days every day and that would not mean its exploited already.
The vulnerability is first patched and than this message came out, so if there is no know exploited instance than this problem is maybe not that big. Now it’s know and your ha it’s not patched the problem is bigger, so patching now is important.
Was the vulnerability also possible when 2fa was active?
See the FAQ items in the blog post. Simply put: We don’t know.
Yes.
@frenck said that there were no known exploited systems. That is different from knowing that there are no exploited systems. When in doubt, prudence requires that you assume the worst and act accordingly. If you don’t, then you may well have been and continue to be compromised.
Whether you choose to do that is up to your own assessment of risk. This was a remote exploit requiring only that your HA instance be accessible via http/https from the Internet. It seems that having a reverse proxy in front of it would not have mitigated the issue, since API calls would have been passed.