Now Reading
Disclosure: Supervisor safety vulnerability – House Assistant

Disclosure: Supervisor safety vulnerability – House Assistant

2023-03-08 16:58:49

Attention please read

We have been made conscious of a safety situation impacting installations utilizing
the House Assistant Supervisor. A repair for this safety situation has been rolled
out to all affected House Assistant customers by way of the Supervisor auto-update system
and this situation is not current.

You may confirm that you just acquired the replace on the Home Assistant About page
and confirm that you’re working Supervisor 2023.03.1 or later. If you don’t
see a Supervisor model in your About web page, you don’t use one of many affected
set up sorts and haven’t been susceptible.

The difficulty has additionally been mitigated in House Assistant 2023.3.0. This model
was launched on March 1 and has since been put in by 33% of our users.

Affected version

The security issue affected installation types Home Assistant OS and
Home Assistant Supervised. This includes installations running on the
Home Assistant Blue and Home Assistant Yellow.

The two other installation types, Home Assistant Container (Docker) and
Home Assistant Core (own Python environment), have not been affected.

Credits

The security issue was found by Joseph Surin from elttam. Many thanks for bringing this to our consideration.

About the issue

The Supervisor is an application that is part of Home Assistant OS
and Home Assistant Supervised installations and is responsible for
system management. The issue allowed an attacker to remotely bypass
authentication and interact directly with the Supervisor API. This gives
an attacker access to install Home Assistant updates and manage add-ons
and backups. Our analysis shows that this issue has been in Home Assistant
since the introduction of the Supervisor in 2017.

See Also

We have published security advisory CVE-2023-27482 on GitHub.

FAQ


Has this vulnerability been abused?

We don’t know. We have not heard any reports of people being hacked.

Is there a workaround?

In case one is not able to upgrade the Home Assistant Supervisor or the
Home Assistant Core application at this time, it is advised to not expose
your Home Assistant instance to the internet.

Source Link

What's Your Reaction?
Excited
0
Happy
0
In Love
0
Not Sure
0
Silly
0
View Comments (0)

Leave a Reply

Your email address will not be published.

2022 Blinking Robots.
WordPress by Doejo

Scroll To Top