Home Assistant Vulnerabilities
Oct 24, 2023
Home Assistant is an open-source home automation platform that allows users to control and automate various smart devices in their homes. However, like any software, it is not immune to vulnerabilities and security issues. In this article, we will discuss two CVEs that have been reported for Home Assistant version 2023.9.0, namely CVE-2023-41894 and CVE-2023-41893. We will also discuss a serious security vulnerability that was discovered in the Home Assistant Supervisor component, which is responsible for system management.
CVE-2023-41894 is an authentication bypass vulnerability that allows webhooks to be accessed via *.ui.nabu.casa URL without authentication. This issue is facilitated by the SniTun proxy, which sets the source address to 127.0.0.1 on all requests sent to the public URL and forwarded to the local Home Assistant[2]. This vulnerability has been addressed in version 2023.9.0, and all users are advised to upgrade[2].
CVE-2023-41893 is an access token manipulation vulnerability that allows attackers to manipulate user access by altering redirect_uri and client_id[1][5]. This vulnerability has also been addressed in version 2023.9.0, and all users are advised to upgrade[2].
In addition to these CVEs, a serious security vulnerability was discovered in the Home Assistant Supervisor component, which is responsible for system management. This vulnerability allowed an attacker to remotely bypass authentication and interact directly with the Supervisor API, giving them access to install Home Assistant updates and manage add-ons and backups[1][4]. This vulnerability was assigned CVE-2023-27482.
The vulnerability has been fixed in Supervisor version 2023.03.1, which has been rolled out to all affected installations via the auto-update feature of the Supervisor[1][2]. Home Assistant Core 2023.3.0 also includes mitigation for this vulnerability, so upgrading to at least that version is advised[2].
Conclusion: Home Assistant is a popular open-source home automation platform that allows users to control and automate various smart devices in their homes. However, like any software, it is not immune to vulnerabilities and security issues. Two CVEs have been reported for Home Assistant version 2023.9.0, namely CVE-2023-41894 and CVE-2023-41893. Both of these vulnerabilities have been addressed in version 2023.9.0, and all users are advised to upgrade. Additionally, a serious security vulnerability was discovered in the Home Assistant Supervisor component, which has been fixed in Supervisor version 2023.03.1. Upgrading to at least Home Assistant Core 2023.3.0 is advised to mitigate this vulnerability. If you think you have found a security vulnerability in Home Assistant, you can disclose it to the Home Assistant team via their security e-mail address at [email protected].
Citations:
[0] https://en.cyberhat.online/forum/daily-cve-english/security-vulnerabilities-released-20-october-2023
[1] https://www.home-assistant.io/blog/2023/03/08/supervisor-security-disclosure/
[2] https://cxsecurity.com/cveshow/CVE-2023-41894/
[3] https://www.cvedetails.com/vulnerability-list/vendor_id-17232/Home-assistant.html
[4] https://security.snyk.io/vuln/SNYK-PYTHON-HOMEASSISTANT-5406380
[5] https://www.nabucasa.com/config/webhooks/