CVE-2023-41896
Vulnerability from cvelistv5
Published
2023-10-19 22:30
Modified
2024-09-12 15:06
Summary
Home assistant is an open source home automation. Whilst auditing the frontend code to identify hidden parameters, Cure53 detected `auth_callback=1`, which is leveraged by the WebSocket authentication logic in tandem with the `state` parameter. The state parameter contains the `hassUrl`, which is subsequently utilized to establish a WebSocket connection. This behavior permits an attacker to create a malicious Home Assistant link with a modified state parameter that forces the frontend to connect to an alternative WebSocket backend. Henceforth, the attacker can spoof any WebSocket responses and trigger cross site scripting (XSS). Since the XSS is executed on the actual Home Assistant frontend domain, it can connect to the real Home Assistant backend, which essentially represents a comprehensive takeover scenario. Permitting the site to be iframed by other origins, as discussed in GHSA-935v-rmg9-44mw, renders this exploit substantially covert since a malicious website can obfuscate the compromise strategy in the background. However, even without this, the attacker can still send the `auth_callback` link directly to the victim user. To mitigate this issue, Cure53 advises modifying the WebSocket code’s authentication flow. An optimal implementation in this regard would not trust the `hassUrl` passed in by a GET parameter. Cure53 must stipulate the significant time required of the Cure53 consultants to identify an XSS vector, despite holding full control over the WebSocket responses. In many areas, data from the WebSocket was properly sanitized, which hinders post-exploitation. The audit team eventually detected the `js_url` for custom panels, though generally, the frontend exhibited reasonable security hardening. This issue has been addressed in Home Assistant Core version 2023.8.0 and in the npm package home-assistant-js-websocket in version 8.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T19:09:49.430Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q"
          },
          {
            "name": "https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-41896",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-12T15:06:04.223766Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-12T15:06:52.374Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "core",
          "vendor": "home-assistant",
          "versions": [
            {
              "status": "affected",
              "version": "Home Assistant Core : \u003c 2023.8.0"
            },
            {
              "status": "affected",
              "version": "home-assistant-js-websocket: \u003c 8.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Home assistant is an open source home automation. Whilst auditing the frontend code to identify hidden parameters, Cure53 detected `auth_callback=1`, which is leveraged by the WebSocket authentication logic in tandem with the `state` parameter. The state parameter contains the `hassUrl`, which is subsequently utilized to establish a WebSocket connection. This behavior permits an attacker to create a malicious Home Assistant link with a modified state parameter that forces the frontend to connect to an alternative WebSocket backend. Henceforth, the attacker can spoof any WebSocket responses and trigger cross site scripting (XSS). Since the XSS is executed on the actual Home Assistant frontend domain, it can connect to the real Home Assistant backend, which essentially represents a comprehensive takeover scenario. Permitting the site to be iframed by other origins, as discussed in GHSA-935v-rmg9-44mw, renders this exploit substantially covert since a malicious website can obfuscate the compromise strategy in the background. However, even without this, the attacker can still send the `auth_callback` link directly to the victim user. To mitigate this issue, Cure53 advises modifying the WebSocket code\u2019s authentication flow. An optimal implementation in this regard would not trust the `hassUrl` passed in by a GET parameter. Cure53 must stipulate the significant time required of the Cure53 consultants to identify an XSS vector, despite holding full control over the WebSocket responses. In many areas, data from the WebSocket was properly sanitized, which hinders post-exploitation. The audit team eventually detected the `js_url` for custom panels, though generally, the frontend exhibited reasonable security hardening. This issue has been addressed in Home Assistant Core version 2023.8.0 and in the npm package home-assistant-js-websocket in version 8.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-345",
              "description": "CWE-345: Insufficient Verification of Data Authenticity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-19T22:30:49.623Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q"
        },
        {
          "name": "https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw"
        }
      ],
      "source": {
        "advisory": "GHSA-cr83-q7r2-7f5q",
        "discovery": "UNKNOWN"
      },
      "title": "Fake websocket server installation permits full takeover in Home Assistant Core"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-41896",
    "datePublished": "2023-10-19T22:30:49.623Z",
    "dateReserved": "2023-09-04T16:31:48.225Z",
    "dateUpdated": "2024-09-12T15:06:52.374Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-41896\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-10-19T23:15:08.540\",\"lastModified\":\"2024-11-21T08:21:52.620\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Home assistant is an open source home automation. Whilst auditing the frontend code to identify hidden parameters, Cure53 detected `auth_callback=1`, which is leveraged by the WebSocket authentication logic in tandem with the `state` parameter. The state parameter contains the `hassUrl`, which is subsequently utilized to establish a WebSocket connection. This behavior permits an attacker to create a malicious Home Assistant link with a modified state parameter that forces the frontend to connect to an alternative WebSocket backend. Henceforth, the attacker can spoof any WebSocket responses and trigger cross site scripting (XSS). Since the XSS is executed on the actual Home Assistant frontend domain, it can connect to the real Home Assistant backend, which essentially represents a comprehensive takeover scenario. Permitting the site to be iframed by other origins, as discussed in GHSA-935v-rmg9-44mw, renders this exploit substantially covert since a malicious website can obfuscate the compromise strategy in the background. However, even without this, the attacker can still send the `auth_callback` link directly to the victim user. To mitigate this issue, Cure53 advises modifying the WebSocket code\u2019s authentication flow. An optimal implementation in this regard would not trust the `hassUrl` passed in by a GET parameter. Cure53 must stipulate the significant time required of the Cure53 consultants to identify an XSS vector, despite holding full control over the WebSocket responses. In many areas, data from the WebSocket was properly sanitized, which hinders post-exploitation. The audit team eventually detected the `js_url` for custom panels, though generally, the frontend exhibited reasonable security hardening. This issue has been addressed in Home Assistant Core version 2023.8.0 and in the npm package home-assistant-js-websocket in version 8.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"Home Assistant es una dom\u00f3tica de c\u00f3digo abierto. Mientras auditaba el c\u00f3digo de la interfaz para identificar par\u00e1metros ocultos, Cure53 detect\u00f3 `auth_callback=1`, que es aprovechado por la l\u00f3gica de autenticaci\u00f3n de WebSocket junto con el par\u00e1metro `state`. El par\u00e1metro de estado contiene `hassUrl`, que posteriormente se utiliza para establecer una conexi\u00f3n WebSocket. Este comportamiento permite a un atacante crear un enlace malicioso de Home Assistant con un par\u00e1metro de estado modificado que obliga al frontend a conectarse a un backend WebSocket alternativo. De ahora en adelante, el atacante puede falsificar cualquier respuesta de WebSocket y activar Cross-Site Scripting (XSS). Dado que XSS se ejecuta en el dominio frontend real de Home Assistant, puede conectarse al backend real de Home Assistant, lo que esencialmente representa un escenario de adquisici\u00f3n integral. Permitir que el sitio tenga un iframe de otros or\u00edgenes, como se analiza en GHSA-935v-rmg9-44mw, hace que este exploit sea sustancialmente encubierto, ya que un sitio web malicioso puede ofuscar la estrategia de compromiso en segundo plano. Sin embargo, incluso sin esto, el atacante a\u00fan puede enviar el enlace `auth_callback` directamente al usuario v\u00edctima. Para mitigar este problema, Cure53 recomienda modificar el flujo de autenticaci\u00f3n del c\u00f3digo WebSocket. Una implementaci\u00f3n \u00f3ptima a este respecto no confiar\u00eda en el `hassUrl` pasado por un par\u00e1metro GET. Cure53 debe estipular el importante tiempo requerido por los consultores de Cure53 para identificar un vector XSS, a pesar de tener control total sobre las respuestas de WebSocket. En muchas \u00e1reas, los datos del WebSocket se sanitizaron adecuadamente, lo que dificulta su posterior explotaci\u00f3n. El equipo de auditor\u00eda finalmente detect\u00f3 el `js_url` para paneles personalizados, aunque en general, la interfaz mostr\u00f3 un refuerzo de seguridad razonable. Este problema se solucion\u00f3 en la versi\u00f3n 2023.8.0 de Home Assistant Core y en el paquete npm home-assistant-js-websocket en la versi\u00f3n 8.2.0. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":9.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.3,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-345\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-345\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:home-assistant:home-assistant:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2023.8.0\",\"matchCriteriaId\":\"5FA5180B-1B8F-4CF6-84F2-A41078BC5BF9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:home-assistant:home-assistant-js-websocket:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"8.2.0\",\"matchCriteriaId\":\"08A4163A-BF4B-4823-ADB6-81078E9345F5\"}]}]}],\"references\":[{\"url\":\"https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.