Security Disclosure 2: vulnerabilities in custom integrations HACS, Font Awesome and others

:warning: If you don’t see the update yet:

Go to the Supervisor panel -> System tab -> Hit reload on the Supervisor.

After that, the update will appear (might need to refresh the page in your browser).

6 Likes

HI. Thank you for the transparency! Much appreciated. In the category “dumb questions”; there is talk of “update your credentials”; is meant here the credentials for the custom integration (like HACS) or the main Home Assistant credentials?

The directory traversal attack allowed attackers to access your .storage folder or your secrets.yaml where all your credentials to external services like AWS, Spotify, Tradfri etc are stored. So you’d have to change all of them.

Thank you. Will do.

If you have used any of the custom integrations with a known vulnerability, we recommend that you update your credentials.

Custom components run under HA core. So the recommendation means ALL credentials visible to HA core docker instance? Including ssl folder?

Is the data in addons folder safe?

Could someone in the know please answer this too?

What accounts do you mean? (Asking because I’m wondering if I missed something.)

  • All HA user accounts changed
  • All refresh/long tokens deleted/regenerated
  • SSH keys regenerated
  • SSL keys regenerated (including Lutron)
  • All addon passwords changed
  • All API keys regenerated
  • All other credentials (email etc) in secrets.yaml changed
  • Companion Apps updated
  • HA updated (again)
  • All dashboard devices cache cleared
  • Nabu Casa password changed also just because

Sounds like a lot but took less than an hour. The one thing I haven’t changed was my Nest API. Still on the original integration and don’t want to mess with it.

And yes thanks for being on top of this devs - including the integration devs!

Can someone if possible shed some light on what is causing these vulnerabilities and what to look out for when using custom components?

I use a few custom components that are not very common and I would like to be able to know if they are safe. I guess the new core update has put firewalls in place so that the risk is less now but it still feels like I have no idea how to decide if I can trust a custom component or not. I can understand code pretty good so is there anything in particular to look out for?

Just to be sure…

If the only access to my HA instance from the outside is via Nabu Casa (or via an encrypted-key protected private VPN) then I should not have been prone to any attacks? Is that correct?

Under configuration/users there are numerous system generated users that are uneditable.

2 Likes

I’ve been through much bigger security issues at much bigger companies, and I would like to say that I thought this was handled well and with the right level of openness. If you’ve never had to be on the owner side of this kind of an issue, the sequencing of the patches and messaging may seem strange, but there are myriad of considerations to be balanced.

I’d like to add my thanks to the team for making HA awesome and a fantastic community!

18 Likes

Unfortunately these things happen. I would however like to take this opportunity to once again start the discussion about supporting reverse proxy authentication through nginx.
There have been many discussions on GitHub about this and the current status is that the development team does not feel they have to support nginx because a safe method of remote authentication is provided through nabu casa.
I disagree. A second layer of authentication could have prevented our instances from being exposed.
Home assistant is the only one of many applications I host that does not reside behind my nginx authentication wall. I have never felt comfortable about this and this feeling has only become worse now.

Please reconsider implementing support for nginx.

Edit: for clarification, nginx is supported but everything breaks when you add http Auth or x509 certificates.

4 Likes

If I did not use any of the integrations than am I safe from this attack? I still plan on changing all my passwords today just to be safe

I can do the following in an infinite loop without ever having to authenticate:

  1. Pick up a device or browser that has previously logged into my HA instance
  2. Navigate Configuration -> Users -> {me} -> Change Password
  3. Change password
  4. Continue navigating my HA system as normal on that device and all other devices/browsers

Shouldn’t I have to authenticate before 3 and again before 4? Is there a way to set things up so that either of those would be required? Without it, anyone who gained access to my system still has it even though I have a new password.

EDIT: I found the login session/refresh tokens under the profile for my user, and they can be deleted one-by-one. I presume this will fix the login before 4 if I delete all tokens.

  • Benjamin
1 Like

Ah, those system accounts. Honestly, I figured since they were system generated accounts the system would take care of them. It is a good question, now you’ve got me curious now also. Thanks for clarifying.

What I don’t understand is why it was fully disclosed to the public before it was checked to be fixed, ideally by the security researcher.

I discovered the update incidentally when surfing the Supervisor.

While it is shown there, the binary_sensor.updater still reports

release_notes: 'https://www.home-assistant.io/latest-release-notes/'
newest_version: 2021.1.4

As we all learned how (time) critical updates are and my notification automations rely on this sensor amongst others, I was wondering

  1. what triggers the binary_sensor.updater sensor to become aware of a newer version
  2. what the “security update” notification/information introduced recently would look like and if it should´ve been triggered for 2021.1.4 users when 2021.1.5 became available
  3. on a long-term if there´re plans to provide update notifications by default (ship with HA Core)

I spent many hours to create such on my own… because “security is number 1 priority” :slight_smile:
grafik

For screenshots and update notifications for other components I can recommend having a look at @CentralCommand´s great work in this topic:

Paulus, very well handled a difficult situation. As others have commented, this type of thing happens but it is the response to the issue that is even more important. Thank you to you, the core team and the wider “senior” community members who I am sure are putting in hours way over and above you expected.

This has happened many services before and will again unfortunately. Your response to the issues has been an example to how others (and in many many cases much, much bigger organisations) should act in these situations

I got this security bulletin and updated to latest version a couple of days ago.
Working fine until now it kicked my out my app. After digging further, turns out the Nuba Casa account just pushed the update to me and killed the token as it didn’t recognise my update.

Signed out and back it, agreed the terms on NubaCasa and working again?

Kudos again devs!