CVE-2023-41893

Account takeover via auth_callback login in Home Assistant Core

Severity Score

5.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

Home assistant is an open source home automation. The audit team’s analyses confirmed that the `redirect_uri` and `client_id` are alterable when logging in. Consequently, the code parameter utilized to fetch the `access_token` post-authentication will be sent to the URL specified in the aforementioned parameters. Since an arbitrary URL is permitted and `homeassistant.local` represents the preferred, default domain likely used and trusted by many users, an attacker could leverage this weakness to manipulate a user and retrieve account access. Notably, this attack strategy is plausible if the victim has exposed their Home Assistant to the Internet, since after acquiring the victim’s `access_token` the adversary would need to utilize it directly towards the instance to achieve any pertinent malicious actions. To achieve this compromise attempt, the attacker must send a link with a `redirect_uri` that they control to the victim’s own Home Assistant instance. In the eventuality the victim authenticates via said link, the attacker would obtain code sent to the specified URL in `redirect_uri`, which can then be leveraged to fetch an `access_token`. Pertinently, an attacker could increase the efficacy of this strategy by registering a near identical domain to `homeassistant.local`, which at first glance may appear legitimate and thereby obfuscate any malicious intentions. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Home Assistant es una domótica de código abierto. Los análisis del equipo de auditoría confirmaron que `redirect_uri` y `client_id` se pueden modificar al iniciar sesión. En consecuencia, el parámetro de código utilizado para obtener la autenticación posterior `access_token` se enviará a la URL especificada en los parámetros antes mencionados. Dado que se permite una URL arbitraria y `homeassistant.local` representa el dominio predeterminado preferido que probablemente muchos usuarios utilizan y confían en él, un atacante podría aprovechar esta debilidad para manipular a un usuario y recuperar el acceso a la cuenta. En particular, esta estrategia de ataque es plausible si la víctima ha expuesto su Home Assistant a Internet, ya que después de adquirir el "access_token" de la víctima, el adversario necesitaría utilizarlo directamente hacia la instancia para realizar cualquier acción maliciosa pertinente. Para lograr este intento de compromiso, el atacante debe enviar un enlace con un `redirect_uri` que controla a la propia instancia de Home Assistant de la víctima. En el caso de que la víctima se autentique a través de dicho enlace, el atacante obtendría el código enviado a la URL especificada en "redirect_uri", que luego se puede aprovechar para obtener un "access_token". Es pertinente que un atacante pueda aumentar la eficacia de esta estrategia registrando un dominio casi idéntico a "homeassistant.local", que a primera vista puede parecer legítimo y, por lo tanto, ocultar cualquier intención maliciosa. Este problema se solucionó en la versión 2023.9.0 y se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-09-04 CVE Reserved
2023-10-19 CVE Published
2024-09-12 CVE Updated
2024-09-18 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://github.com/home-assistant/core/security/advisories/GHSA-qhhj-7hrc-gqj5	2023-10-26
https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant	2023-10-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Home-assistant Search vendor "Home-assistant"		Home-assistant Search vendor "Home-assistant" for product "Home-assistant"				< 2023.9.0 Search vendor "Home-assistant" for product "Home-assistant" and version " < 2023.9.0"		-		Affected