Headline
CVE-2023-41893: Security audits of Home Assistant
Home assistant is an open source home automation. The audit team’s analyses confirmed that the redirect_uri and client_id are alterable when logging in. Consequently, the code parameter utilized to fetch the access_token post-authentication will be sent to the URL specified in the aforementioned parameters. Since an arbitrary URL is permitted and homeassistant.local represents the preferred, default domain likely used and trusted by many users, an attacker could leverage this weakness to manipulate a user and retrieve account access. Notably, this attack strategy is plausible if the victim has exposed their Home Assistant to the Internet, since after acquiring the victim’s access_token the adversary would need to utilize it directly towards the instance to achieve any pertinent malicious actions. To achieve this compromise attempt, the attacker must send a link with a redirect_uri that they control to the victim’s own Home Assistant instance. In the eventuality the victim authenticates via said link, the attacker would obtain code sent to the specified URL in redirect_uri, which can then be leveraged to fetch an access_token. Pertinently, an attacker could increase the efficacy of this strategy by registering a near identical domain to homeassistant.local, which at first glance may appear legitimate and thereby obfuscate any malicious intentions. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
October 19, 2023 Comments
Summary: Home Assistant had two security audits done as part of our regular security assessments. You are safe. No authentication bypasses have been found. We did fix issues related to attackers potentially tricking users to take over their instance. All fixes are included in Home Assistant 2023.9 (released on September 6, 2023) and the latest Home Assistant apps for iOS and Android. Please make sure you’re up-to-date.
Security is very important to us at Home Assistant and Nabu Casa. Being open source makes it easy to let anyone audit our code—and based on reported issues—people do. However, you also need to hire people to do an actual security audit to ensure that all the important code has been covered.
Subscribing to Home Assistant Cloud provides funding for the ongoing development and maintenance of Home Assistant, including external security audits. To ensure that our security is top-notch, Nabu Casa hired Cure53 to perform a security audit of critical parts of Home Assistant. Cure53 is a well-known cybersecurity firm that in the past found vulnerabilities in Mastodon and Ring products.
Cure53 found issues in Home Assistant, 3 of which were marked as “critical” severity. The critical issues would allow an attacker to trick users and steal login credentials. All reported issues have been addressed as part of Home Assistant 2023.9, released on September 6, 2023. No authentication bypass issues have been found. According to Cure53’s report:
The quality of the codebase was impressive on the whole, whilst the architecture and frameworks deployed in all relevant application areas resilient design paradigms in general. Frontend security in particular exhibited ample opportunities for hardening, as compounded by the Critical associated risks identified. Nonetheless, once these have been mitigated, an exemplary security posture will certainly be attainable.
In August, the GitHub Security Lab also audited Home Assistant. They found six non-critical issues across Home Assistant Core and our iOS and Android apps. Two of the issues overlapped with Cure53. All reported issues have been fixed and released.
We want to thank both teams for their audits, reported issues, and keeping our users safe 🙏
All found issues have been added to our security page. This page has been updated to include an ongoing timeline of reported issues, who disclosed it, and a link to the issue report on GitHub.
If you think you have found a security issue, check out our security page on how to report this to Home Assistant.
Related news
[_Part of the Cure53 security audit of Home Assistant._](https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/) The audit team’s analyses confirmed that the `redirect_uri` and `client_id` are alterable when logging in. Consequently, the code parameter utilized to fetch the `access_token` post-authentication will be sent to the URL specified in the aforementioned parameters. Since an arbitrary URL is permitted and `homeassistant.local` represents the preferred, default domain likely used and trusted by many users, an attacker could leverage this weakness to manipulate a user and retrieve account access. Notably, this attack strategy is plausible if the victim has exposed their Home Assistant to the Internet, since after acquiring the victim’s `access_token`, the adversary would need to utilize it directly towards the instance to achieve any pertinent malicious actions. To achieve this compromise attempt, the attacker must send a link with a `redirect_uri` t...