CVE-2023-41897

Lack of XFO header allows clickjacking in Home Assistant Core

Severity Score

9.6

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Home assistant is an open source home automation. Home Assistant server does not set any HTTP security headers, including the X-Frame-Options header, which specifies whether the web page is allowed to be framed. The omission of this and correlating headers facilitates covert clickjacking attacks and alternative exploit opportunities, such as the vector described in this security advisory. This fault incurs major risk, considering the ability to trick users into installing an external and malicious add-on with minimal user interaction, which would enable Remote Code Execution (RCE) within the Home Assistant application. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Home Assistant es una domótica de código abierto. El servidor Home Assistant no establece ningún encabezado de seguridad HTTP, incluido el encabezado X-Frame-Options, que especifica si se permite que la página web este enmarcada. La omisión de este y los encabezados correlacionados facilita los ataques encubiertos de clickjacking y oportunidades de explotación alternativas, como el vector descrito en este aviso de seguridad. Esta falla conlleva un riesgo importante, considerando la capacidad de engañar a los usuarios para que instalen un complemento externo y malicioso con una interacción mínima del usuario, lo que permitiría Remote Code Execution (RCE) dentro de la aplicación Home Assistant. Este problema se solucionó en la versión 2023.9.0 y se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2023-09-04 CVE Reserved
2023-10-19 CVE Published
2024-09-12 CVE Updated
2024-09-18 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-1021: Improper Restriction of Rendered UI Layers or Frames

CAPEC

References (3)

URL	Tag	Source
https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q	Not Applicable

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw	2023-10-26
https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant	2023-10-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Home-assistant Search vendor "Home-assistant"		Home-assistant Search vendor "Home-assistant" for product "Home-assistant"				< 2023.9.0 Search vendor "Home-assistant" for product "Home-assistant" and version " < 2023.9.0"		-		Affected