Critical Home Assistant Vulnerabilities: What You Need to Know

Home Assistant, a renowned free and open-source software for home automation, stands as a pivotal cornerstone for many smart homes globally. It’s prized for its robust focus on local control and unwavering commitment to privacy. As a central control system, its seamless accessibility via web interfaces, companion apps, and virtual assistants like Google Assistant or Amazon Alexa makes it a favorite among tech enthusiasts.

In September 2023, security researchers from Cure53 disclosed three critical security vulnerabilities in Home Assistant:

• CVE-2023-41897: Lack of XFO header allows clickjacking
• CVE-2023-41896: Fake WS server installation permits full takeover
• CVE-2023-41895: Full takeover via javascript URI in auth_callback login

These vulnerabilities could allow attackers to take full control of a Home Assistant installation, giving them access to all of the user’s smart home devices.

1. Clickjacking Lurks: The Absent XFO Header (CVE-2023-41897)

A salient flaw observed by Cure53 in Home Assistant’s server is the absence of HTTP security headers, notably the X-Frame-Options header. This header is a bulwark against framing the webpage, and its absence can be a goldmine for malicious actors aiming to execute covert clickjacking attacks.

The gravity of this oversight is profound. Imagine being hoodwinked into adding a harmful external add-on, thereby paving the way for Remote Code Execution within the Home Assistant application. To counteract this, Cure53 underscores the imperative to activate the XFO header, setting it to either “SAMEORIGIN” or “DENY” to stave off clickjacking assaults.

2. WebSocket Woes: The Covert Full Takeover (CVE-2023-41896)

In their meticulous audit, Cure53 identified a nefarious exploit opportunity arising from the WebSocket authentication logic. The state parameter, containing the hassUrl, can be manipulated, allowing a malefactor to compel the frontend to bond with a rogue WebSocket backend. This, in essence, enables the attacker to masquerade any WebSocket responses and launch a Cross-Site Scripting (XSS) attack.

The implications are dire. This vulnerability can lead to a full-scale takeover of the Home Assistant system, especially when compounded by the aforementioned clickjacking vulnerability.

However, there’s a silver lining. Cure53’s audit also highlighted the commendable effort in many areas where data from the WebSocket was immaculately sanitized. Still, a rigorous revision of the WebSocket code’s authentication flow is crucial.

3. The JavaScript Jigsaw: Another Path to Full Takeover (CVE-2023-41895)

In another surprising revelation, Cure53 discovered that the Home Assistant login page might be a potential trojan horse. It permits users to employ their local credentials and sign in to an external website. A glaring lapse in the redirect_uri validation can be exploited to activate arbitrary JavaScript execution, culminating in a full takeover.

To fortify against this, Cure53 suggests a stringent validation of the redirect_uri value and the integration of a Content Security Policy (CSP) to thwart similar XSS ambushes in the future.

Moving Forward

All three of these vulnerabilities have been fixed in Home Assistant 2023.9, which was released on September 6, 2023. Home Assistant users are strongly advised to update to the latest version as soon as possible.