// For flags

CVE-2023-41896

Fake websocket server installation permits full takeover in Home Assistant Core

Severity Score

9.0
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

Home assistant is an open source home automation. Whilst auditing the frontend code to identify hidden parameters, Cure53 detected `auth_callback=1`, which is leveraged by the WebSocket authentication logic in tandem with the `state` parameter. The state parameter contains the `hassUrl`, which is subsequently utilized to establish a WebSocket connection. This behavior permits an attacker to create a malicious Home Assistant link with a modified state parameter that forces the frontend to connect to an alternative WebSocket backend. Henceforth, the attacker can spoof any WebSocket responses and trigger cross site scripting (XSS). Since the XSS is executed on the actual Home Assistant frontend domain, it can connect to the real Home Assistant backend, which essentially represents a comprehensive takeover scenario. Permitting the site to be iframed by other origins, as discussed in GHSA-935v-rmg9-44mw, renders this exploit substantially covert since a malicious website can obfuscate the compromise strategy in the background. However, even without this, the attacker can still send the `auth_callback` link directly to the victim user. To mitigate this issue, Cure53 advises modifying the WebSocket code’s authentication flow. An optimal implementation in this regard would not trust the `hassUrl` passed in by a GET parameter. Cure53 must stipulate the significant time required of the Cure53 consultants to identify an XSS vector, despite holding full control over the WebSocket responses. In many areas, data from the WebSocket was properly sanitized, which hinders post-exploitation. The audit team eventually detected the `js_url` for custom panels, though generally, the frontend exhibited reasonable security hardening. This issue has been addressed in Home Assistant Core version 2023.8.0 and in the npm package home-assistant-js-websocket in version 8.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Home Assistant es una domótica de código abierto. Mientras auditaba el código de la interfaz para identificar parámetros ocultos, Cure53 detectó `auth_callback=1`, que es aprovechado por la lógica de autenticación de WebSocket junto con el parámetro `state`. El parámetro de estado contiene `hassUrl`, que posteriormente se utiliza para establecer una conexión WebSocket. Este comportamiento permite a un atacante crear un enlace malicioso de Home Assistant con un parámetro de estado modificado que obliga al frontend a conectarse a un backend WebSocket alternativo. De ahora en adelante, el atacante puede falsificar cualquier respuesta de WebSocket y activar Cross-Site Scripting (XSS). Dado que XSS se ejecuta en el dominio frontend real de Home Assistant, puede conectarse al backend real de Home Assistant, lo que esencialmente representa un escenario de adquisición integral. Permitir que el sitio tenga un iframe de otros orígenes, como se analiza en GHSA-935v-rmg9-44mw, hace que este exploit sea sustancialmente encubierto, ya que un sitio web malicioso puede ofuscar la estrategia de compromiso en segundo plano. Sin embargo, incluso sin esto, el atacante aún puede enviar el enlace `auth_callback` directamente al usuario víctima. Para mitigar este problema, Cure53 recomienda modificar el flujo de autenticación del código WebSocket. Una implementación óptima a este respecto no confiaría en el `hassUrl` pasado por un parámetro GET. Cure53 debe estipular el importante tiempo requerido por los consultores de Cure53 para identificar un vector XSS, a pesar de tener control total sobre las respuestas de WebSocket. En muchas áreas, los datos del WebSocket se sanitizaron adecuadamente, lo que dificulta su posterior explotación. El equipo de auditoría finalmente detectó el `js_url` para paneles personalizados, aunque en general, la interfaz mostró un refuerzo de seguridad razonable. Este problema se solucionó en la versión 2023.8.0 de Home Assistant Core y en el paquete npm home-assistant-js-websocket en la versión 8.2.0. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2023-09-04 CVE Reserved
  • 2023-10-19 CVE Published
  • 2024-09-12 CVE Updated
  • 2024-10-25 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-345: Insufficient Verification of Data Authenticity
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Home-assistant
Search vendor "Home-assistant"
Home-assistant
Search vendor "Home-assistant" for product "Home-assistant"
< 2023.8.0
Search vendor "Home-assistant" for product "Home-assistant" and version " < 2023.8.0"
-
Affected
Home-assistant
Search vendor "Home-assistant"
Home-assistant-js-websocket
Search vendor "Home-assistant" for product "Home-assistant-js-websocket"
< 8.2.0
Search vendor "Home-assistant" for product "Home-assistant-js-websocket" and version " < 8.2.0"
node.js
Affected