My Home Assistant configuration… IT’S ALIVE

NightRanger · May 9, 2018, 6:25am

@ntalekt Thanks for sharing!

Your system in its current configuration may be vulnerable to authentication bypass

This section in your configuration.yaml

http:
  api_password: !secret ha_password
  trusted_networks:
    - 192.168.1.0/24
    - 127.0.0.1
  ip_ban_enabled: True
  login_attempts_threshold: 3
  use_x_forwarded_for: True

I warned about it here almost a year ago and yesterday an issue was opened in the HA git by a concerned user

github.com/home-assistant/core

Security issue, unauthorized trusted access by spoofing x-forwarded-for header

opened 05:21PM - 08 May 18 UTC

closed 01:16PM - 28 Jun 18 UTC

ayavilevich

**Home Assistant release with the issue:** 0.68.1 but probably older versions t…oo **Last working Home Assistant release (if known):** N/A **Operating environment (Hass.io/Docker/Windows/etc.):** Hassbian but should be applicable to other deployment methods **Component/platform:** http **Description of problem:** There is a bug in HA that in certain conditions will allow a person to spoof a trusted source address and bypass password authentication. Conditions: - “trusted_networks” is defined with IP values - “use_x_forwarded_for: True” - A reverse proxy is used (i.e nginx) - Attacker can guess one of the IPs in the trusted list (i.e. 127.0.0.1) - API password is set (or else there is nothing to bypass) Use case: Attacker adds a spoofed x-forwarded-for header with an IP that is in the trusted list. HA grants access without asking for a password. Cause: https://github.com/home-assistant/home-assistant/blob/master/homeassistant/components/http/real_ip.py#L22 Uses the first IP in the header which can be spoofed. Only the last IP in the header is guaranteed to be non-spoofed assuming a valid reverse proxy is in place. https://en.wikipedia.org/wiki/X-Forwarded-For : Format : _“where the value is a comma+space separated list of IP addresses, the left-most being the original client, and each successive proxy that passed the request adding the IP address where it received the request from. In this example, the request passed through proxy1, proxy2, and then proxy3 (not shown in the header). proxy3 appears as remote address of the request. Since it is easy to forge an X-Forwarded-For field the given information should be used with care. The last IP address is always the IP address that connects to the last proxy, which means it is the most reliable source of information. X-Forwarded-For data can be used in a forward or reverse proxy scenario.”_ **Problem-relevant `configuration.yaml` entries and (fill out even if it seems unimportant):** ```yaml http: # Secrets are defined in the file secrets.yaml api_password: !secret http_password use_x_forwarded_for: True trusted_networks: - 127.0.0.1 ``` **Traceback (if applicable):** ``` ``` **Additional information:** Work around: Disable trusted_network setting, remove reverse proxy or limit network access to authorized individuals only. Problem first noticed first by https://community.home-assistant.io/u/NightRanger . Reference: https://community.home-assistant.io/t/trusted-networks-and-x-forwarded-for/20850 I would issue a PR but I don’t have the right environment to test this. Hopefully somebody who uses this setup can apply the fix and test it.

I would remove the x-forwarded-for and trusted networks from the configuration when using reverse proxy.