Disclosure: Supervisor security vulnerability

Attention please read

We were made aware of a security issue impacting installations using the Home Assistant Supervisor. A fix for this security issue has been rolled out to all affected Home Assistant users via the Supervisor auto-update system and this issue is no longer present.

You can verify that you received the update on the Home Assistant About page and verify that you are running Supervisor 2023.03.1 or later. If you do not see a Supervisor version on your About page, you do not use one of the affected installation types and have not been vulnerable.

The issue has also been mitigated in Home Assistant 2023.3.0. This version was released on March 1 and has since been installed by 33% of our users.

Affected version

The security issue affected installation types Home Assistant OS and Home Assistant Supervised. This includes installations running on the Home Assistant Blue and Home Assistant Yellow.

The two other installation types, Home Assistant Container (Docker) and Home Assistant Core (own Python environment), have not been affected.

Credits

The security issue was found by Joseph Surin from elttam. Many thanks for bringing this to our attention.

About the issue

The Supervisor is an application that is part of Home Assistant OS and Home Assistant Supervised installations and is responsible for system management. The issue allowed an attacker to remotely bypass authentication and interact directly with the Supervisor API. This gives an attacker access to install Home Assistant updates and manage add-ons and backups. Our analysis shows that this issue has been in Home Assistant since the introduction of the Supervisor in 2017.

We have published security advisory CVE-2023-27482 on GitHub.

FAQ


Has this vulnerability been abused?

We don’t know. We have not heard any reports of people being hacked.

Is there a workaround?

In case one is not able to upgrade the Home Assistant Supervisor or the Home Assistant Core application at this time, it is advised to not expose your Home Assistant instance to the internet.