Home Assistant patches Supervisor bug that allows access to installations

Home Assistant has released an update for the Supervisor, the underlying system of the smart home platform. This update fixes a serious vulnerability that could allow attackers to take over a system remotely without authentication.

The vulnerability is registered as CVE-2023-27482. The creators of Home Assistant to write that that vulnerability is in all versions of Home Assistant Core older than 2023.3.0 and specifically in Home Assistant Supervisor 2023.03.1. Mitigation for the bug is built into the latest version of Core. A patch has been released for the Supervisor. The patch has now been rolled out to all users, who still have to update their OS themselves, depending on their installation. The Core update, where the bug has been mitigated, was already released on March 1 and has since been implemented on 33 percent of all installations, according to the makers.

The bug could only be exploited on Home Assistant OS and Home Assistant Supervised installations. Docker installations do not contain a Supervisor, so the bug could not be exploited there.

Home Assistant doesn’t provide much detail about the nature of the vulnerability. The developers only write that the bug enabled an authentication bypass that allowed a remote attacker to take over a complete installation. This was possible via the Supervisor API, but how that works is not known. According to the makers, the bug is serious; he gets a score of 10.0, probably because of the potential impact.