CVE-2023-41893
Vulnerability from cvelistv5
Published
2023-10-19 23:27
Modified
2024-09-12 15:02
Severity ?
EPSS score ?
Summary
Home assistant is an open source home automation. The audit team’s analyses confirmed that the `redirect_uri` and `client_id` are alterable when logging in. Consequently, the code parameter utilized to fetch the `access_token` post-authentication will be sent to the URL specified in the aforementioned parameters. Since an arbitrary URL is permitted and `homeassistant.local` represents the preferred, default domain likely used and trusted by many users, an attacker could leverage this weakness to manipulate a user and retrieve account access. Notably, this attack strategy is plausible if the victim has exposed their Home Assistant to the Internet, since after acquiring the victim’s `access_token` the adversary would need to utilize it directly towards the instance to achieve any pertinent malicious actions. To achieve this compromise attempt, the attacker must send a link with a `redirect_uri` that they control to the victim’s own Home Assistant instance. In the eventuality the victim authenticates via said link, the attacker would obtain code sent to the specified URL in `redirect_uri`, which can then be leveraged to fetch an `access_token`. Pertinently, an attacker could increase the efficacy of this strategy by registering a near identical domain to `homeassistant.local`, which at first glance may appear legitimate and thereby obfuscate any malicious intentions. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | home-assistant | core |
Version: < 2023.9.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:49.302Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/home-assistant/core/security/advisories/GHSA-qhhj-7hrc-gqj5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-qhhj-7hrc-gqj5"
},
{
"name": "https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41893",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T15:02:34.822643Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T15:02:45.555Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "home-assistant",
"versions": [
{
"status": "affected",
"version": "\u003c 2023.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Home assistant is an open source home automation. The audit team\u2019s analyses confirmed that the `redirect_uri` and `client_id` are alterable when logging in. Consequently, the code parameter utilized to fetch the `access_token` post-authentication will be sent to the URL specified in the aforementioned parameters. Since an arbitrary URL is permitted and `homeassistant.local` represents the preferred, default domain likely used and trusted by many users, an attacker could leverage this weakness to manipulate a user and retrieve account access. Notably, this attack strategy is plausible if the victim has exposed their Home Assistant to the Internet, since after acquiring the victim\u2019s `access_token` the adversary would need to utilize it directly towards the instance to achieve any pertinent malicious actions. To achieve this compromise attempt, the attacker must send a link with a `redirect_uri` that they control to the victim\u2019s own Home Assistant instance. In the eventuality the victim authenticates via said link, the attacker would obtain code sent to the specified URL in `redirect_uri`, which can then be leveraged to fetch an `access_token`. Pertinently, an attacker could increase the efficacy of this strategy by registering a near identical domain to `homeassistant.local`, which at first glance may appear legitimate and thereby obfuscate any malicious intentions. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-19T23:27:09.318Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/home-assistant/core/security/advisories/GHSA-qhhj-7hrc-gqj5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-qhhj-7hrc-gqj5"
},
{
"name": "https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/"
}
],
"source": {
"advisory": "GHSA-qhhj-7hrc-gqj5",
"discovery": "UNKNOWN"
},
"title": "Account takeover via auth_callback login in Home Assistant Core"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-41893",
"datePublished": "2023-10-19T23:27:09.318Z",
"dateReserved": "2023-09-04T16:31:48.225Z",
"dateUpdated": "2024-09-12T15:02:45.555Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2023-41893\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-10-20T00:15:16.017\",\"lastModified\":\"2024-11-21T08:21:52.193\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Home assistant is an open source home automation. The audit team\u2019s analyses confirmed that the `redirect_uri` and `client_id` are alterable when logging in. Consequently, the code parameter utilized to fetch the `access_token` post-authentication will be sent to the URL specified in the aforementioned parameters. Since an arbitrary URL is permitted and `homeassistant.local` represents the preferred, default domain likely used and trusted by many users, an attacker could leverage this weakness to manipulate a user and retrieve account access. Notably, this attack strategy is plausible if the victim has exposed their Home Assistant to the Internet, since after acquiring the victim\u2019s `access_token` the adversary would need to utilize it directly towards the instance to achieve any pertinent malicious actions. To achieve this compromise attempt, the attacker must send a link with a `redirect_uri` that they control to the victim\u2019s own Home Assistant instance. In the eventuality the victim authenticates via said link, the attacker would obtain code sent to the specified URL in `redirect_uri`, which can then be leveraged to fetch an `access_token`. Pertinently, an attacker could increase the efficacy of this strategy by registering a near identical domain to `homeassistant.local`, which at first glance may appear legitimate and thereby obfuscate any malicious intentions. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"Home Assistant es una dom\u00f3tica de c\u00f3digo abierto. Los an\u00e1lisis del equipo de auditor\u00eda confirmaron que `redirect_uri` y `client_id` se pueden modificar al iniciar sesi\u00f3n. En consecuencia, el par\u00e1metro de c\u00f3digo utilizado para obtener la autenticaci\u00f3n posterior `access_token` se enviar\u00e1 a la URL especificada en los par\u00e1metros antes mencionados. Dado que se permite una URL arbitraria y `homeassistant.local` representa el dominio predeterminado preferido que probablemente muchos usuarios utilizan y conf\u00edan en \u00e9l, un atacante podr\u00eda aprovechar esta debilidad para manipular a un usuario y recuperar el acceso a la cuenta. En particular, esta estrategia de ataque es plausible si la v\u00edctima ha expuesto su Home Assistant a Internet, ya que despu\u00e9s de adquirir el \\\"access_token\\\" de la v\u00edctima, el adversario necesitar\u00eda utilizarlo directamente hacia la instancia para realizar cualquier acci\u00f3n maliciosa pertinente. Para lograr este intento de compromiso, el atacante debe enviar un enlace con un `redirect_uri` que controla a la propia instancia de Home Assistant de la v\u00edctima. En el caso de que la v\u00edctima se autentique a trav\u00e9s de dicho enlace, el atacante obtendr\u00eda el c\u00f3digo enviado a la URL especificada en \\\"redirect_uri\\\", que luego se puede aprovechar para obtener un \\\"access_token\\\". Es pertinente que un atacante pueda aumentar la eficacia de esta estrategia registrando un dominio casi id\u00e9ntico a \\\"homeassistant.local\\\", que a primera vista puede parecer leg\u00edtimo y, por lo tanto, ocultar cualquier intenci\u00f3n maliciosa. Este problema se solucion\u00f3 en la versi\u00f3n 2023.9.0 y se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:home-assistant:home-assistant:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2023.9.0\",\"matchCriteriaId\":\"C469208E-F2FD-4DCB-B5EE-0CBCD199142A\"}]}]}],\"references\":[{\"url\":\"https://github.com/home-assistant/core/security/advisories/GHSA-qhhj-7hrc-gqj5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/home-assistant/core/security/advisories/GHSA-qhhj-7hrc-gqj5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.