CVE-2023-41894 in Home Assistant
Summary
by MITRE • 10/25/2023
Home assistant is an open source home automation. The assessment verified that webhooks available in the webhook component are triggerable via the `*.ui.nabu.casa` URL without authentication, even when the webhook is marked as Only accessible from the local network. This issue is facilitated by the SniTun proxy, which sets the source address to 127.0.0.1 on all requests sent to the public URL and forwarded to the local Home Assistant. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 10/25/2023
The vulnerability described in CVE-2023-41894 represents a critical authentication bypass flaw within the Home Assistant home automation platform that undermines the security model designed to protect local network resources. This issue affects the webhook component functionality that is intended to restrict access to local network resources while still allowing external triggering through authenticated mechanisms. The flaw exists specifically in how the SniTun proxy component handles request forwarding, creating an unintended pathway for unauthorized access to webhook endpoints that should remain protected within the local network boundary.
The technical implementation of this vulnerability stems from the SniTun proxy's behavior of rewriting the source address of all incoming requests to 127.0.0.1 when requests are forwarded from the public URL to the local Home Assistant instance. This proxy mechanism, designed to facilitate secure external access to local services, inadvertently strips away the original source IP validation that would normally prevent external access to local-only webhooks. The flaw allows attackers to trigger webhooks through the *.ui.nabu.casa domain without proper authentication, effectively bypassing the intended network access controls that should restrict webhook access to local network sources only.
From an operational impact perspective, this vulnerability creates significant security risks for Home Assistant users who rely on webhook-based automation and integration features. Attackers can exploit this flaw to execute unauthorized webhook triggers that may lead to unintended automation actions, data manipulation, or potential escalation to other system components. The vulnerability particularly affects users who have configured webhooks to perform sensitive operations or access system resources that should remain protected from external interference. The lack of known workarounds forces users to rely entirely on the official patch release for remediation, creating a window of exposure that could be exploited by threat actors with knowledge of the specific attack vector.
The security implications of this vulnerability align with CWE-284, which addresses improper access control issues, and can be mapped to ATT&CK technique T1078.004 related to valid accounts and T1190 for exploitation of remote services. The flaw demonstrates how proxy mechanisms designed for legitimate access control can introduce unexpected security gaps when they modify network context information in ways that bypass existing security checks. This vulnerability highlights the importance of proper network boundary enforcement and the dangers of assuming that proxy-forwarded requests maintain their original source integrity for security validation purposes.
The official fix for this vulnerability was implemented in Home Assistant version 2023.9.0, which addresses the root cause by ensuring that webhook access controls properly validate the original source address information rather than relying on the proxy-modified source address. Users are strongly advised to upgrade immediately to prevent exploitation of this vulnerability, as the absence of workarounds means that the only effective protection against this specific attack vector is the patched software version. Organizations and individuals utilizing Home Assistant for home automation should prioritize this upgrade to maintain the security posture of their automated systems and prevent potential unauthorized access to their home networks and connected devices.