Security Bulletin

![](upload://dZcMT8QMr32MFbOyhWHGYA4osRq.png)

It has come to our attention that certain custom integrations have security issues and could potentially leak sensitive information. Home Assistant is not responsible for custom integrations and you use custom integrations at your own risk.

The latest version of Home Assistant has extra protection to help secure your instance.

Update your Home Assistant instance as soon as possible.

To update Home Assistant, click on the Supervisor menu item to see if an update to 2021.1.3 (or newer) is available. If you do not see such an update yet, in the Supervisor, click on the System tab and click the “Reload” button at the bottom of the Supervisor card. After reloading the update should become available.

If you don’t have the Supervisor menu item, follow the update instructions.

If you cannot update Home Assistant at this time, we strongly advise you to disable all custom integrations. You can disable your custom integrations by renaming the custom_components folder inside your Home Assistant configuration folder to something else. Please be sure to restart Home Assistant after you’ve renamed it.

If you need additional help with upgrading, we are happy to help you out on our Discord chat server.

Paulus

**Edit: 15 January 2021** : Blog post updated to state 2021.1.3, which added some additional checks.
This is a companion discussion topic for the original entry at https://www.home-assistant.io/blog/2021/01/14/security-bulletin/
9 Likes

3 posts were split to a new topic: Bug with the config-checker add-on

People asked for more information. We are currently investigating the scope of the issue. We will follow up with more details. Meanwhile, update Home Assistant.

16 Likes

I do not see any security-related changes in this version commits?

1 Like

Despite for not seeing anything except “Filter” in PR - maybe it’s time to stop and think about getting HA a little bit of pentest?
Some opensource projects do such thing, this could also be crowdfounded if costs are too high.
I’m sure there would be plenty of us to have more comfort about having whole house and credentials in one place - properly tested by proffesionals? (I’m not one).

3 Likes

This post is not about an issue with Home Assistant. This is about an issue with custom components that users choose to add to their own installation. Code which is not reviewed by the Home Assistant Core team.

12 Likes

Yeah, but anyway it has made me stop and think - I think it’s worth considering by HA Core team too (or just have it through broader discussion?)
Just an idea. There are some OS projects that have security in mind and got tested for it too (like Signal). I’d love to put some euros on it too.

4 Likes

I’ve tar archived my custom_components folder and upgraded. Standing by for more information…

Is this update going to inhibit any custom_components from working at all? I don’t want to cook my system as I rely on my custom_components working…

1 Like

Looking at the commit, I would say that all (ok, most) legit custom components will be fine. It seems to be protecting against a custom component do a few select (suspicious) things. This is the tests for the new security logic, anything matching would be flagged:

        ("/", {"test": "/test/../../api"}),
        ("/", {"test": "test/../../api"}),
        ("/", {"sql": ";UNION SELECT (a, b"}),
        ("/", {"sql": "concat(..."}),
        ("/", {"xss": "<script >"}),

And even then, it throws a warning, and kills only the bad request it seems:

if FILTERS.search(request.raw_path):
            _LOGGER.warning(
                "Filtered a potential harmful request to: %s", request.raw_path
            )
            raise HTTPBadRequest
2 Likes

No, it’s just an advice.

Anything making a request with that (basic) security vuln tests.
Custom components already have a lot more permissions and don’t need to attack HA via http requests…

I’m not a developer, just a spectating user, but here’s the relevant part of the .2 commit: https://github.com/home-assistant/core/compare/2021.1.1...2021.1.2#diff-fcd766ca652cf2b9cb54a1c6edf81083c1a3857870a87d33d84f37e2aa2f616e

There’s some new logic to log (and prevent?) “request[s] and block commonly known exploit attempts”

I imagine someone found a custom_component out there acting in bad faith. We should wait for their official update; so far the HA team has handled these well imo and I appreciate this warning going up while they investigate further.

6 Likes

Make a snapshot. Update. If it does, you can simply revert. This should be standard update procedure anyways.

1 Like

It may not be deliberate by the custom component. Just that input isn’t being sanitised and therefore exploitable.

1 Like

Good point, thanks. Due to my line of work I typically jump to malicious actors, because I’ve seen it all!

That is my standard procedure but I’m currently away from home so reluctant to risk the update. On top of everything else HA waters my garden and it’s hot in Perth this week!

5 Likes

15 posts were split to a new topic: Managing secrets

i get that it’s not about HA. but you didn’t say how/what about 2021.1.2 addresses the issue.

3 Likes

To update Home Assistant, click on the Supervisor menu item

Do you mean Hass.io? I’m so confused. There’s a big issue with the naming of different parts of this project that needs to be resolved. The name “Home Assistant” is ambiguous. It can refer to the core project or to the entire distribution. The main web site is not perfectly clear about that too. A first-time visitor may think that they need a Raspberry Pi to use Home Assistant. In reality there are many different distributions that include different components and operate slightly differently. For example, I use a Home Assistant docker container on my NAS that doesn’t have a supervisor.

3 Likes