jeans/home-assistant.io
jeans/home-assistant.io
1
0
Fork 0
mirror of https://github.com/home-assistant/home-assistant.io.git synced 2025-07-24 17:57:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add Supervisor security disclosure blog (#26493)

Browse Source
This commit is contained in:
Franck Nijhof 2023-03-08 10:13:06 +01:00 committed by GitHub
parent c293a1ac5d
commit d6569a20e3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 67 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
source/_posts/2023-03-08-supervisor-security-disclosure.markdown Normal file
View File

@ -0,0 +1,67 @@
---
layout: post
title: "Disclosure: Supervisor security vulnerability"
description: "Disclosure of a security vulnerability found impacting installations using the Home Assistant Supervisor."
date: 2023-03-08 00:00:00
date_formatted: "March 08, 2023"
author: Paulus Schoutsen
author_twitter: balloob
comments: true
categories: Public-Service-Announcement
og_image: /images/blog/2023-03-supervisor-security-disclosure/social.png
---
![Attention please read](/images/blog/2023-03-supervisor-security-disclosure/social.png)
We were made aware of a security issue impacting installations using
the Home Assistant Supervisor. A fix for this security issue has been rolled
out to all affected Home Assistant users via the Supervisor auto-update system
and this issue is no longer present.
You can verify that you received the update on the {% my info title="Home Assistant About page" %}
and verify that you are running Supervisor 2023.03.1 or later. If you do not
see a Supervisor version on your About page, you do not use one of the affected
installation types and have not been vulnerable.
The issue has also been mitigated in Home Assistant 2023.3.0. This version
was released on March 1 and has since been installed by [33% of our users][analytics].
[analytics]: https://analytics.home-assistant.io/
## Affected version
The security issue affected installation types Home Assistant OS and
Home Assistant Supervised. This includes installations running on the
Home Assistant Blue and Home Assistant Yellow.
The two other installation types, Home Assistant Container (Docker) and
Home Assistant Core (own Python environment), have not been affected.
## Credits
The security issue was found by [Joseph Surin] from [elttam]. Many thanks for bringing this to our attention.
[Joseph Surin]: https://www.linkedin.com/in/joseph-surin/
[elttam]: https://www.elttam.com/
## About the issue
The Supervisor is an application that is part of Home Assistant OS
and Home Assistant Supervised installations and is responsible for
system management. The issue allowed an attacker to remotely bypass
authentication and interact directly with the Supervisor API. This gives
an attacker access to install Home Assistant updates and manage add-ons
and backups. Our analysis shows that this issue has been in Home Assistant
since the introduction of the Supervisor in 2017.
We have published [security advisory CVE-2023-27482 on GitHub][advisory].
[advisory]: https://github.com/home-assistant/core/security/advisories/GHSA-2j8f-h4mr-qr25
## FAQ
---
### Has this vulnerability been abused?
We dont know. We have not heard any reports of people being hacked.

BIN
source/images/blog/2023-03-supervisor-security-disclosure/social.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 172 KiB