CVE-2023-27482: Critical vulnerability in Home Assistant OS and Home Assistant Supervised
Home Assistant is free and open-source software for home automation designed to be a central control system for smart home devices with a focus on local control and privacy. It can be accessed through a web-based user interface by using companion apps for Android and iOS, or by voice commands via supported virtual assistants such as Google Assistant or Amazon Alexa.
Recently, a new security vulnerability has been discovered in Home Assistant OS and Home Assistant Supervised installations, potentially putting users at risk. The vulnerability has been identified as CVE-2023-27482, with a CVSS score of 10, the highest possible score, indicating that it is a critical security issue. This vulnerability was found by Joseph Surin from elttam.
The Supervisor, an application responsible for system management, is the main target of this vulnerability. According to the analysis, the issue allows attackers to bypass authentication and interact directly with the Supervisor API, which could give them access to install Home Assistant updates and manage add-ons and backups.
The CVE-2023-27482 vulnerability has been present since the introduction of the Supervisor in 2017, which means that it has been around for a while, increasing the likelihood that attackers may have already exploited it.
All Home Assistant installations types that use the Supervisor 2023.01.1 or older are affected, including Home Assistant OS and Home Assistant Supervised. This includes installations running on the Home Assistant Blue and Home Assistant Yellow. However, other installation types like Home Assistant Container or Home Assistant Core manually in a Python environment are not affected.
The good news is that the issue has been mitigated and closed in Supervisor version 2023.03.1, which has already been rolled out to all affected installations via the auto-update feature of the Supervisor. Home Assistant Core 2023.3.0 has also included mitigation for this vulnerability, so upgrading to at least that version is strongly advised.
For those who are not able to upgrade their Home Assistant Supervisor or the Home Assistant Core application at this time, it is advised to not expose their Home Assistant instance to the internet to avoid being vulnerable to this attack.
To ensure the security of your Home Assistant installation, we recommend that you take immediate action and update your Supervisor and Home Assistant Core application to the latest version as soon as possible. By doing so, you can rest assured that your system is protected against this critical security issue.