Add security audits of Home Assistant blog post (home-assistant#29433)

source/_posts/2023-10-19-security-audits-of-home-assistant.markdown

@@ -0,0 +1,29 @@
+---
+layout: post
+title: "Security audits of Home Assistant"
+description: "Home Assistant hired Cure53 to do a security audit as part of our regular security assessments. You are safe. No authentication bypasses have been found."
+date: 2023-10-19 00:00:00
+date_formatted: "October 19, 2023"
+author: Paulus Schoutsen & Franck Nijhof
+comments: true
+categories:
+  - Announcements
+---
+
+_Summary: Home Assistant had two security audits done as part of our regular security assessments. You are safe. No authentication bypasses have been found. We did fix issues related to attackers potentially tricking users to take over their instance. All fixes are included in Home Assistant 2023.9 and the latest Home Assistant apps for iOS and Android. Please make sure you’re up-to-date._
+
+Security is very important to us at Home Assistant and Nabu Casa. Being open source makes it easy to let anyone audit our code—and based on reported issues—people do. However, you also need to hire people to do an actual security audit to ensure that all the important code has been covered.
+
+Subscribing to [Home Assistant Cloud](https://www.nabucasa.com/) provides funding for the ongoing development and maintenance of Home Assistant, including external security audits. To ensure that our security is top-notch, Nabu Casa hired Cure53 to perform a security audit of critical parts of Home Assistant. [Cure53](https://cure53.de/) is a well-known cybersecurity firm that in the past found vulnerabilities in [Mastodon](https://arstechnica.com/security/2023/07/mastodon-fixes-critical-tootroot-vulnerability-allowing-node-hijacking/) and [Ring products](https://foundation.mozilla.org/en/blog/mozilla-publishes-ring-doorbell-vulnerability-following-amazons-apathy/).
+
+Cure53 found issues in Home Assistant, 3 of which were marked as “critical” severity. The critical issues would allow an attacker to trick users and steal login credentials. All reported issues have been addressed as part of Home Assistant 2023.9, released on September 6, 2023. No authentication bypass issues have been found. According to Cure53’s report:
+
+> The quality of the codebase was impressive on the whole, whilst the architecture and frameworks deployed in all relevant application areas resilient design paradigms in general. Frontend security in particular exhibited ample opportunities for hardening, as compounded by the Critical associated risks identified. Nonetheless, once these have been mitigated, an exemplary security posture will certainly be attainable.
+
+In August, the [GitHub Security Lab](https://securitylab.github.com/) also audited Home Assistant. They found six non-critical issues across Home Assistant Core and our iOS and Android apps. Two of the issues overlapped with Cure53. All reported issues have been fixed and released.
+
+We want to thank both teams for their audits, reported issues, and keeping our users safe 🙏
+
+All found issues have been added to [our security page](/security). This page has been updated to include an ongoing timeline of reported issues, who disclosed it, and a link to the issue report on GitHub.
+
+_If you think you have found a security issue, check out [our security page](/security) on how to report this to Home Assistant._

source/security/index.markdown

@@ -62,19 +62,81 @@ As an open source project, Home Assistant cannot offer bounties for security vul
 
 The following is a list of past security advisories that have been published by the Home Assistant project.
 
+**2023-10-19: Actions expression injection in `helpers/version/action.yml`**  
+Severity: _Low (This is an internal project)_  
+Detailed information: _[Security advisory](https://github.com/home-assistant/core/security/advisories/GHSA-jff5-5j3g-vhqc)_  
+Discovered by: _[jorgectf](https://github.com/jorgectf), [p-](https://github.com/p-) ([GitHub Security Lab](https://securitylab.github.com/))_  
+Fixed in: _Home Assistant GitHub Actions released on September 5, 2023_  
+
+**2023-10-19: Arbitrary URL load in Android WebView in `MyActivity.kt`**  
+Severity: _High (CVSS: 8.6)_  
+Detailed information: _[Security advisory](https://github.com/home-assistant/core/security/advisories/GHSA-jvpm-q3hq-86rg)_  
+Assigned CVE: _[CVE-2023-41898](https://nvd.nist.gov/vuln/detail/CVE-2023-41898)_  
+Discovered by: _[atorralba](https://github.com/atorralba) ([GitHub Security Lab](https://securitylab.github.com/))_  
+Fixed in: _Home Assistant for Android 2023.9.2_  
+
+**2023-10-19: Partial Server-Side Request Forgery in Core**  
+Severity: _Low_  
+Detailed information: _[Security advisory](https://github.com/home-assistant/core/security/advisories/GHSA-4r74-h49q-rr3h)_  
+Assigned CVE: _[CVE-2023-41899](https://nvd.nist.gov/vuln/detail/CVE-2023-41899)_  
+Discovered by: _[pwntester](https://github.com/pwntester) ([GitHub Security Lab](https://securitylab.github.com/))_  
+Fixed in: _Home Assistant Core 2023.9_  
+
+**2023-10-19: Client-Side Request Forgery in iOS/macOS native Apps**  
+Severity: _High (CVSS: 8.6)_  
+Detailed information: _[Security advisory](https://github.com/home-assistant/core/security/advisories/GHSA-h2jp-7grc-9xpp)_  
+Assigned CVE: _[CVE-2023-44385](https://nvd.nist.gov/vuln/detail/CVE-2023-44385)_  
+Discovered by: _[pwntester](https://github.com/pwntester) ([GitHub Security Lab](https://securitylab.github.com/))_  
+Fixed in: _Home Assistant for iOS 2023.7_  
+
+**2023-10-19: Account takeover via auth_callback login**  
+Severity: _Low_  
+Detailed information: _[Security advisory](https://github.com/home-assistant/core/security/advisories/GHSA-qhhj-7hrc-gqj5)_  
+Assigned CVE: _[CVE-2023-41893](https://nvd.nist.gov/vuln/detail/CVE-2023-41893)_  
+Discovered by: _[Cure53](https://cure53.de/) (Funded by [Nabu Casa](https://www.nabucasa.com/))_  
+Fixed in: _Home Assistant Core 2023.9_  
+
+**2023-10-19: Full takeover via javascript URI in auth_callback login**  
+Severity: _Critical_  
+Detailed information: _[Security advisory](https://github.com/home-assistant/core/security/advisories/GHSA-jvxq-x42r-f7mv)_  
+Assigned CVE: _[CVE-2023-41895](https://nvd.nist.gov/vuln/detail/CVE-2023-41895)_  
+Discovered by: _[Cure53](https://cure53.de/) (Funded by [Nabu Casa](https://www.nabucasa.com/))_  
+Fixed in: _Home Assistant Core 2023.9_  
+
+**2023-10-19: Local-only webhooks externally accessible via SniTun**  
+Severity: _Low_  
+Detailed information: _[Security advisory](https://github.com/home-assistant/core/security/advisories/GHSA-wx3j-3v2j-rf45)_  
+Assigned CVE: _[CVE-2023-41894](https://nvd.nist.gov/vuln/detail/CVE-2023-41894)_  
+Discovered by: _[Cure53](https://cure53.de/) (Funded by [Nabu Casa](https://www.nabucasa.com/))_  
+Fixed in: _Home Assistant Core 2023.9_  
+
+**2023-10-19: Fake WS server installation permits full takeover**  
+Severity: _Critical_  
+Detailed information: _[Security advisory](https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q)_  
+Assigned CVE: _[CVE-2023-41896](https://nvd.nist.gov/vuln/detail/CVE-2023-41896)_  
+Discovered by: _[Cure53](https://cure53.de/) (Funded by [Nabu Casa](https://www.nabucasa.com/))_  
+Fixed in: _Home Assistant Core 2023.9 & `home-assistant-js-websocket` 8.2.0 (npm)_  
+
+**2023-10-19: Lack of XFO header allows clickjacking**  
+Severity: _Critical_  
+Detailed information: _[Security advisory](https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw)  
+Assigned CVE: _[CVE-2023-41897](https://nvd.nist.gov/vuln/detail/CVE-2023-41897)_  
+Discovered by: _[Cure53](https://cure53.de/) (Funded by [Nabu Casa](https://www.nabucasa.com/))_  
+Fixed in: _Home Assistant Core 2023.9_  
+
 **2023-03-08: Authentication bypass Supervisor API**  
 Severity: _Critical (CVSS: 10.0)_  
 Detailed information: _[Security advisory](https://github.com/home-assistant/core/security/advisories/GHSA-2j8f-h4mr-qr25)_  
 Assigned CVE: _[CVE-2023-27482](https://nvd.nist.gov/vuln/detail/CVE-2023-27482)_  
 Discovered by: _[Joseph Surin](https://jsur.in/) from [elttam](https://www.elttam.com/)_  
-Fixed in: _Core 2023.3.2, Supervisor 2023.03.3_  
+Fixed in: _Home Assistant Core 2023.3.2, Home Assistant Supervisor 2023.03.3_  
 
 **2017-10-11: Cross-site scripting in Markdown output**  
 Severity: _Medium (CVSS: 6.1)_  
 Detailed information: _[Pull request](https://github.com/home-assistant/frontend/pull/514)_  
 Assigned CVE: _[CVE-2017-16782](https://nvd.nist.gov/vuln/detail/CVE-2017-16782)_  
 Discovered by: _Marcin Teodorczyk from [intive.com](https://intive.com/)_  
-Fixed in: _Core 0.57_  
+Fixed in: _Home Assistant Core 0.57_  
 
 ---