Disclosure: Supervisor security vulnerability

You’d be surprised how many enterprise orgs don’t orchestrate/automate this task and as a result, end up with years-old credentials/keys/etc., “because it’s too much work”, or because it could potentially disruptive to 24/7 operations. Take that and mix it with password reuse and you could end up with quite a pickle, to say the least.

On a home user level, let’s say you have a Google account with, Gmail, Calendar, Drive and Photos integrated into HA. Now, let’s say you have four of these also integrated with three other systems, not to mention your phone, laptop and tablet. Rotating just the above involves change of password, 2fa factors (hope you have more than one), getting 12 new API keys(unless you’re reusing them) and finally reconfiguring your systems with new keys and re-logging into your hardware devices. And that’s just for your Google account. If you add a dozen more accounts/systems/services into the mix, you end up with an hour or two worth of tedium that most simply dread.

Again, I’m not saying it’s a good thing to ignore this, I’m saying that’s how quite a number of users look at this topic and consequently how you end up with breaches.

3 Likes

Pleased to see the disclosure being made quickly, can’t say if I want more details or not as I don’t really understand what’s happened anyway. :joy:

Supervisor is on the latest version, so I’ll go rotate creds and hope for the best. Have to admit, something being a critical vuln for six years did my the hairs stick up on the back of my neck.

Should I have a notification in HA for this, as I don’t? Only aware of it as I someone RTd it on Twitter.

Only if you haven’t updated to the latest Supervisor, if I remember what Frenck posted up the page a bit.

1 Like

@frenck , my point is that while you and I can make an informed decision based on the announcement, an average user can not. Hence, I’m suggesting that the messaging takes that into account.

9 Likes

Holy shit! Thanks for pointing that out… I was thinking due to the weird URL it wouldn’t be able to easily guess my exact domain on Nabu Casa… but yes this is an actual clusterfuck.

If a bad actor found this exploit somewhere in the last 6 years, which I assume is quite likely… he basically had access to all Nabu Casa’s instances home assistant backups. He had access to all those peoples networks (just push a malicious addon to install a remote access trojan).

All he had to to was simply have to scan this whois site and write a script calling the API’s of all those dns names and download the backups and install the trojan horse. That would piggy back him into your personal network allowing him to potentially exploit other devices connected to your network.

1 Like

Pretty much. I found it ironic how people think that using the Nabu Casa service made their instance safer somehow. In fact, the reliance on subdomains basically serves all instances on a silver platter and opens the door for fully automated infections, without the need for port scanning or probing of any kind (which could raise red flags). It’s going to be interesting to read up on the details of the attack vector once it is published (they probably give it some time to allow people to update before making the technical details public).

Glad I never used the Supervisor.

2 Likes

Well, I have at least a “best worst case scenario”.

My HomeAssistant instant is behind Cloudflare (with highest security settings, so hopefully no scripted attacks) and nginx (all non-Cloudflare IPs blocked) and I have set up a geofilter that only allows IPs from countries that are necessary for my services or where I am.

Did this update break the “Documentation” tab on all add-ons for anyone else? Every single add-on gives me this error after updating

If I restore to the previous version from the back up that was taken when the update was applied, I no longer get this error.

No issue on my end for the add-on documentation on latest Supervisor.

I’ll re-apply the update then and see if it was just a bad install

I have the same error.

We’ll actually I am not sure how deep is the impact? So are only credentials have to be seen as compromised. Or should I go for a fresh install of home assistant? I mean, if someone is actually having the possibility to manage addons. How deep could someone get into our system? As @PeeDee mention could someone install a trojan via addon into homeassistant and execute it. Then remove the addon so nobody suspects?

Credential rotating… okay kinda logic and should be straight forward. But is this actually enough? A compromised system could leak that data immeadiatly again.

I just want to point out that using nabu casa. For me at least in germany in the part of the remote access Nabu casa explicitly is saying “Home Assistant Cloud bietet eine sichere Remote-Verbindung zu deiner Instanz” (freely translated to “Home Assistant Cloud provides a secure remote connection to your instance”). In my opinion this is definetly misleading. There should be no unauthorized routing to the local instance at all, maybe authorizing at least with the nabu casa credentials on the nabu-casa servers.

But at all I still love home assistant :slight_smile: Just a good product, those things happen, everytime, everywhere. We just should mitigate the impact.

FYI: If not said by anyone: To logout all users, changing password is not enough. By deleting all refresh tokens in “/config/.storage/auth” (Can be access with File editor addon, but you have to remove it from file exclusion in configuration) all users will be logged out and forced to login again. But be aware messing this file up could maybe brick the system.

Yeah I reinstalled the update and the error returns.

Did you set up authenticated origin pulls? Blocking non-cloudflare IPs is fine I guess but since cloudflare is itself a PaaS it’s not really a solution. Anyone can host a custom service on cloudflare so traffic coming from cloudflare isn’t necessarily trusted. Also I mean ip address spoofing is a thing.

Hence why they recommend the authenticated origin pulls option. That’s what guarantees traffic coming to your reverse proxy came through your WAF.

2 Likes

IT’s the latest “Core” update the caused it, so this is not the place-holder for this topic

The deepness? You should consider that there is a high chance your HA instance and the device running it compromised and potentially infected. IF any bad actor found out about this before it was fixed it would have been sooooo easy to fully own all public and Nabu Casa HA instances.

If also you didn’t separate your Home Assistant device to for example a guest of IOT network potentially more devices could be owned.

1 Like

sorry to be a simple soul, but, even that terminology seems shop talk. If we are advised to change our password (or even full credentials meaning login user name and password) for HA, or HA and all used add-ons, I feel that should be made explicit in the most simple of terms.

Rotate credentials could imply other measures than changing ones pw, and we need to be 100% sure what is meant by the terminology unambiguously

Added to that, should we do that for all registered users and devices too?

A yes would be a true pain here, as I can not believe a single person here does so on a regular base… that would be over 30 combinations each periodic change.

Not adding to the trouble we would have for allowing registered users to login, remotely or locally, and what that would do to our registered device_trackers (the iOS app is notoriously troublesome at that)

Lastly, if subscribing to Nabu Casa does not make life safer than logging in remotely through our own services (like the mentioned DuckDNS or likewise services), I must confess to have been misunderstanding my long standing subscription to that service completely…

6 Likes

Well but those addresses must have been spidered somehow, maybe disclosed by their owners or at Nabu Casa they’re managing it very badly…
I also manage subdomains for my customers (nothing to do with home assistant) and third level domains are not available anywhere… They’re evaluated at web requests and if they matches the correct tunnel is served.
Do you know about other ways?

Frenck I respect you and I love your work but you’re a little rude sometimes.
Port scanning is what an Hacker will do knowing that a certain service has a vulnerability to find targets manually or automating using a script to find targets with a not updated software.
Or maybe using a dedicated search engine like this: https://www.shodan.io/search?query=Home+Assistant
This will list you all instances that has “Home Assistant” in the http reply. And there you can find all people that are using port forwarding as they expose that port to port scanning (that is what shodan is doing to index those data)
That’s different for Nabu Casa users that has no open ports to target in a port scan.
You have to know that exact subdomain to be coupled to the private tunnel of that home assistant instance…
And to prevent brute force trying it’s enough for Nabu Casa to add an increasing lockout time for each ip source that is trying a wrong subdomain…
I’m I so wrong in your opinion? Why?

5 Likes

Yes, I enabled authenticated origin pulls in cloudflare. I set the origin certificates generated by Cloudflare in nginx. However, I did not use WAF, but Cloudflare Zero Trust Access.

Of course it’s not perfect but still better than just nginx with lets encrypt which wouldn’t have helped at all against this vulnerability. Even though i was still vulnerable i made it less intuitive and easy to abuse. No nabu casa subdomain, security check of visitor by Cloudflare and confinement to IPs from certain countries only. People outside those countries wouldn’t even know a HA-Instant exist behind my Domain. Both my HA-Instant and nginx are running in separate VMs (with nginx as well as a firewall for the VM set up to only accept Cloudflare IPs). Both are backed up regularly, which would allow me to roll back if I notice a compromise.

Do you think there is still room for further improvement?

1 Like