Just read this article:
Looks like Home-Assistant amongst others does not fare well.
I would not expose any container fully to the internet but I am interested in the view of the devs
another link here:
As far as I can tell, looking at their published list of all of the containers, the homeassistant/home-assistant container has 0 āOpen Vulnerabilitiesā and a āKenna scoreā of 0.
Sounds good to me, if Iām reading that right.
Seems to be an error? If you read the report, it seems that there is a lot of issues
Or they fixed all 721 of them overnight.
So whereās that report?
Maybe I missed it, but the article doesnāt mention HA and the only outside link to what containers have issues seems to be the one I linked to which shows 0.
EDIT:
Found it, the specific report for that HA docker container can be found here, though itās just a json file.
There are 4,097 total issues listed.
There are 14 items listed as "Severity": "CRITICAL".
There are 695 items listed as "Severity": "HIGH".
There are 3,236 items listed as "Severity": "MEDIUM".
There are 152 items listed as "Severity": "LOW".
Pascal or maybe Paulus would be the best ones to give answers.
Or they fixed all 721 of them
More like all 4,097, Though Iād settle for the top 709 being fixed, lol.
The original article (the TechRepublic one) says
Home Assistant, which was last updated on June 25, has 721 open vulnerabilities with the most critical scored 760
Which is where I got that number from. No idea where they got it from.
Iām going to preface this by saying Iām no expert but here is my take on it. Feel free to correct me if anything is wrong.
It looks like the tool is just getting a list of installed packages and their versions and then checking that against known vulnerabilities in those packages. None of the vulnerabilities appear to come from Home Assistant itself (although that doesnāt mean none exist) but rather from the assortment of libraries used to make it work. There are at least some from low level system utilities that you could find on any number of Linux installations (apt, bash, and binutils are the first ones in the list).
Just based off an initial glance over some of the vulnerabilities listed, itās really hard (for me at least) to understand the implications in terms of HA. It would require an actual dev to investigate each one, but Iām going to guess that most of them are unlikely to be used in an exploit to gain access to the system directly from outside. However, if your system is compromised somehow, then each vulnerability increases the likelihood that someone can leverage one of them to get further access to the system and cause even more problems.
Iām also not really sure what some of the libraries with vulnerabilities are used for. A whole bunch of them seem to be from ImageMagick and other image processing related libraries. I canāt see why these would be needed unless you have cameras set up. I thought HA only installed dependencies for integrations you actually use, but maybe there are some that get installed regardless.
1 Like
Super publicity for Kenna Security lol. Kudos on beating up needless hysteria IMO.
I agree that this is largely a self promotional activity but it does speak to the underlying quality of the base containers and build scripts that are being used to produce these containers.
The whole point of micro-services/containers is to only expose the minimum that is needed to the outside world. However some containers esp HA sort of expect to have HOST networking so they can perform discovery etcā¦
Surely we could do something for the base container vulnerabilities?
Expect is not demand and discovery is not required.
I have never used host and never will.
Debian base had unknown flaws. I donāt think itās unreasonable to expect that to be secure. In general a lot is reduced by not running as root user and most people fail here.
People are not perfect and flaws occur. Some of these researchers are mostly repeating past reports re: docker flaws. If you use BobbyJimmy/Debianbase:0.8 of course you are taking huge risk. Bitnami images were previously reported as insecure same as Debian and rest of reported look like randoms.
Ultimately, docker must work to improve āofficialā images since I guess these are their partial responsibility but this report doesnāt seem to report anything new. I think ādonāt run as root or use random imagesā is current solution?