Fake websocket server installation permits full takeover in Home Assistant Core

CVE-2023-41896

What is CVE-2023-41896?

A security flaw has been identified in Home Assistant's WebSocket authentication logic that allows attackers to manipulate the state parameter. By crafting a malicious Home Assistant link, an attacker can redirect the frontend to connect to an unauthorized WebSocket backend, bypassing normal security protocols. This bearer trust in the 'hassUrl' GET parameter can lead to spoofed WebSocket responses, enabling XSS attacks that execute malicious scripts on the frontend domain. As a result, attackers can potentially take over sessions and compromise user data. The issue has been rectified in version 2023.8.0 of Home Assistant Core and in version 8.2.0 of the home-assistant-js-websocket npm package. Users are strongly encouraged to update their installations, as no workarounds exist.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References