Home Assistant released Home Assistant Core 2021.1.5 with extra protection to stop directory traversal attacks before reaching the vulnerable code. While this specific security vulnerability might not impact them, you might be impacted by the previously found vulnerability.īesides working with the custom integration authors, the following actions have been taken to help protect users: Please make sure to also read the previous security disclosure. BWAlarm (ak74 edition) – fixed in 1.12.9. Home Assistant Community Store (HACS) – fixed in 1.10.1. We have responsibly disclosed these issues to the authors of those custom integrations and worked with them on fixing their integrations. This access includes any credentials that you might have stored to allow Home Assistant to access other services. It allows an attacker to access any file without having to log in. The conclusion is that some custom integrations are still vulnerable to a directory traversal attack while not being authenticated with Home Assistant. We verified all fixes made to custom integrations that were found to be vulnerable in the previous security disclosure. We learned that not all custom integrations that implement security patches are sufficient to deflect the problem. It provided more insight on the implementation of the fixes done for the previous security vulnerability. On the morning of Saturday, January 23 2021, the Home Assistant project was informed by security researcher Nathan Brady about a security vulnerability. If you have used any of the custom integrations with a known vulnerability, we recommend that you update your credentials. Upgrade the custom integrations to a fixed version or remove them from your installation. Home Assistant Core 2021.1.5 added mitigation to prevent the issue from happening. Upgrade Home Assistant as soon as possible. Previously implemented fixes were not sufficient. Multiple custom integrations were found that allowed an attacker to steal any file without logging in. If you do use custom integrations, your instance might be vulnerable if you use one of the impacted integrations. If you do not use custom integrations, your Home Assistant is not vulnerable. We want to inform you about these because the found vulnerabilities impact the security of your Home Assistant instance. 
Custom integrations are not created and/or maintained by Home Assistant. This is a disclosure about security vulnerabilities found in 3rd party custom integrations. We want to make sure the information is complete. However, it is a new disclosure, affecting a similar issue.
This blog looks pretty much the same as the security disclosure of yesterday.
0 kommentar(er)
