We had been made conscious of a safety problem impacting installations utilizing
the House Assistant Supervisor. A repair for this safety problem has been rolled
out to all affected House Assistant customers by way of the Supervisor auto-update system
and this problem is not current.
You possibly can confirm that you simply obtained the replace on the House Assistant About web page
and confirm that you’re operating Supervisor 2023.03.1 or later. If you don’t
see a Supervisor model in your About web page, you don’t use one of many affected
set up varieties and haven’t been susceptible.
The problem has additionally been mitigated in House Assistant 2023.3.0. This model
was launched on March 1 and has since been put in by 33% of our customers.
Affected model
The safety problem affected set up varieties House Assistant OS and
House Assistant Supervised. This consists of installations operating on the
House Assistant Blue and House Assistant Yellow.
The 2 different set up varieties, House Assistant Container (Docker) and
House Assistant Core (personal Python setting), haven’t been affected.
Credit
The safety problem was discovered by Joseph Surin from elttam. Many thanks for bringing this to our consideration.
In regards to the problem
The Supervisor is an software that’s a part of House Assistant OS
and House Assistant Supervised installations and is answerable for
system administration. The problem allowed an attacker to remotely bypass
authentication and work together instantly with the Supervisor API. This offers
an attacker entry to put in House Assistant updates and handle add-ons
and backups. Our evaluation reveals that this problem has been in House Assistant
for the reason that introduction of the Supervisor in 2017.
We’ve revealed safety advisory CVE-2023-27482 on GitHub.
FAQ
Has this vulnerability been abused?
We don’t know. We’ve not heard any experiences of individuals being hacked.
Is there a workaround?
In case one isn’t in a position to improve the House Assistant Supervisor or the
House Assistant Core software presently, it’s suggested to not expose
your House Assistant occasion to the web.