Login Sign Up

CVE-2023-41897

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Home Assistant allows attackers to perform clickjacking attacks by tricking users into clicking malicious elements on a page. This could lead to remote code execution by installing malicious add-ons. All Home Assistant users with versions before 2023.9.0 are affected.

💻 Affected Systems

Products:
  • Home Assistant Core
Versions: All versions before 2023.9.0
Operating Systems: All platforms running Home Assistant
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Home Assistant by Home Assistant

View all CVEs affecting Home Assistant →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution on the Home Assistant server, allowing full system compromise and potential lateral movement in the network.

🟠

Likely Case

Clickjacking attacks leading to unauthorized add-on installation or configuration changes.

🟢

If Mitigated

Minimal impact with proper HTTP security headers and user awareness.

🌐 Internet-Facing: HIGH - Home Assistant instances exposed to the internet are directly vulnerable to clickjacking attacks.
🏢 Internal Only: MEDIUM - Internal attackers could still exploit this via phishing or compromised internal sites.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Clickjacking attacks are well-understood and easy to implement. The advisory mentions specific attack vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2023.9.0 and later

Vendor Advisory: https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw

Restart Required: Yes

Instructions:

1. Backup your Home Assistant configuration. 2. Update Home Assistant to version 2023.9.0 or later via the Supervisor panel or command line. 3. Restart Home Assistant to apply the update.

🧯 If You Can't Patch

  • Implement a reverse proxy with proper HTTP security headers (X-Frame-Options, Content-Security-Policy).
  • Restrict Home Assistant access to trusted networks only and avoid exposing to the internet.

🔍 How to Verify

Check if Vulnerable:

Check Home Assistant version in the Configuration > Info panel or run 'ha core info' in the terminal.

Check Version:

ha core info | grep 'version' or check the web interface at Configuration > Info

Verify Fix Applied:

Verify version is 2023.9.0 or later and test that X-Frame-Options header is present in HTTP responses.

📡 Detection & Monitoring

Log Indicators:

  • Unusual add-on installation events
  • Unexpected configuration changes

Network Indicators:

  • HTTP requests with missing X-Frame-Options header to Home Assistant

SIEM Query:

web.url:*/api/* AND NOT http.headers.x-frame-options:*

📊 Metadata

CVE ID: CVE-2023-41897
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-1021
Published: October 19, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-41897, you might also want to check these:

CVE-2021-23274 9.8

This CVE describes a clickjacking vulnerability in TIBCO API Exchange Gateway's Config UI component ...

Same vulnerability type (CWE-1021)
CVE-2021-21132 9.6

This vulnerability in Chrome DevTools allowed malicious Chrome extensions to escape the browser's se...

Same vulnerability type (CWE-1021)
CVE-2024-10004 9.1

This vulnerability in Firefox for iOS causes the browser to incorrectly display an HTTPS padlock ico...

Same vulnerability type (CWE-1021)