CVE-2023-27482 Scanner
Detects 'Authentication Bypass' vulnerability in Home Assistant Core and Supervisor affects v. Core before 2023.3.2, Supervisor before 2023.3.3.
Short Info
Level
Critical
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 second
Time Interval
1 month
Scan only one
Domain, Ipv4
Toolbox
-
Home Assistant Core and Supervisor are integral components of the popular open-source home automation system, Home Assistant. The Home Assistant Core is responsible for managing all aspects of home automation such as lighting, climate control, security systems, and more. It is essentially the brain of the home automation network. Meanwhile, the Supervisor is responsible for overseeing the management of operating system-level tasks and software updates for the Home Assistant Core.
The CVE-2023-27482 vulnerability detected in Home Assistant is a remotely exploitable vulnerability that bypasses authentication for accessing the Supervisor API through Home Assistant. This means that an attacker can gain access to the Supervisor API and execute any command they desire without requiring any type of authentication. This vulnerability only affects installations that use the Supervisor 2023.01.1 or older. Home Assistant Container and Home Assistant Core installations that are manually set up in a Python environment are not affected.
When exploited, the CVE-2023-27482 vulnerability can lead to a complete takeover of the Home Assistant instance. Attackers can execute any command via the Supervisor API, making them capable of taking full control of any connected smart devices within the home automation network. This puts users' privacy and security at risk and could lead to significant damage if not promptly addressed.
Security is important, and it is vital to keep all digital assets secure. With the pro features of s4e.io, readers can easily and quickly learn about vulnerabilities in their digital assets. The pro features of s4e.io provide detailed information on vulnerabilities, along with actionable insights to mitigate them. By leveraging the power of s4e.io, users can stay ahead of threats and protect their digital assets.
REFERENCES
- https://github.com/elttam/publications/blob/master/writeups/home-assistant/supervisor-authentication-bypass-advisory.md
- https://github.com/home-assistant/core/security/advisories/GHSA-2j8f-h4mr-qr25
- https://www.elttam.com/blog/pwnassistant/
- https://www.home-assistant.io/blog/2023/03/08/supervisor-security-disclosure/