Home Assistant Users Advised to Upgrade Following Information Disclosure Vulnerability Discovery
Blame for the vulnerability has been laid squarely at the door of third-party integrations — with new core code designed to prevent abuse.
Home Assistant, the Apache 2.0-licensed open source home automation platform, has issued a security bulletin warning of a information leakage vulnerability — and advising users to upgrade as soon as possible, though placing the blame firmly at the door of third-party integrations.
"It has come to our attention that certain custom integrations have security issues and could potentially leak sensitive information," Home Assistant's Paulus Schoutsen warns in the bulletin, "Home Assistant is not responsible for custom integrations and you use custom integrations at your own risk."
"We are currently investigating the scope of the issue. We will follow up with more details. Meanwhile, update Home Assistant. The latest version of Home Assistant Core has extra protection to help secure your instance."
Those running Home Assistant are advised to use the Supervisor menu to check for updates: Home Assistant 2021.1.3 or newer includes the protections designed to prevent information leakage by as-yet unnamed vulnerable third-party integration(s). For installations where the Supervisor menu is not available, manual upgrade instructions have been provided.
"If you cannot update Home Assistant at this time, we strongly advise you to disable all custom integrations," Schoutsen adds. "You can disable your custom integrations by renaming the custom_components folder inside your Home Assistant configuration folder to something else. Please be sure to restart Home Assistant after you’ve renamed it."
The full bulletin, and subsequent discussion, is available on the Home Assistant website.