ghsa-m3pm-rpgg-5wj6
Vulnerability from github
Published
2025-02-18 19:25
Modified
2025-02-18 22:51
Severity ?
7.0 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
Summary
Home Assistant does not correctly validate SSL for outgoing requests in core and used libs
Details

Summary

Problem: Potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries.

Details

In the past, aiohttp-session/request had the parameter verify_ssl to control SSL certificate verification. This was a boolean value. In aiohttp 3.0, this parameter was deprecated in favor of the ssl parameter. Only when ssl is set to None or provided with a correct configured SSL context the standard SSL certificate verification will happen.

When migrating integrations in Home Assistant and libraries used by Home Assistant, in some cases the verify_ssl parameter value was just moved to the new ssl parameter. This resulted in these integrations and 3rd party libraries using request.ssl = True, which unintentionally turned off SSL certificate verification and opened up a man-in-the-middle attack vector.

Example: https://github.com/home-assistant/core/blob/c4411914c2e906105b765c00af5740bd0880e946/homeassistant/components/discord/notify.py#L84

When you scan the libraries used by the integrations in Home Assistant, you will find more issues like this.

The general handling in Home Assistant looks good, as homeassistant.helpers.aoihttp_client._async_get_connector handles it correctly.

PoC

  1. Check that expired.badssl.com:443 gives an SSL error in when connecting with curl or browser.
  2. Add the integration adguard with the setting host=expired.badssl.com, port=443, use-ssl=true, verify-ssl=true.
  3. Check the logs - you get a HTTP 403 response.

Expected behavior: 1. The integration log shows an ssl.SSLCertVerificationError.

The following code shows the problem with ssl=True. No exception is raised when ssl=True (Python 3.11.6).

``` import asyncio from ssl import SSLCertVerificationError

import aiohttp

BAD_URL = "https://expired.badssl.com/"

async def run_request(verify_ssl, result_placeholder: str): async with aiohttp.ClientSession() as session: exception_fired: bool = False try: await session.request("OPTIONS", BAD_URL, ssl=verify_ssl) except SSLCertVerificationError: exception_fired = True except Exception as error: print(error) else: exception_fired = False print(result_placeholder.format(exception_result=exception_fired))

Case 1: ssl=False --> expected result: No exception

asyncio.run(run_request(False, "Test case 1: expected result: False - result: {exception_result}"))

Case 2: ssl=None --> expected result: Exception

asyncio.run(run_request(None, "Test case 2: expected result: True - result: {exception_result}"))

Case 3: ssl=True --> expected result: No Exception

asyncio.run(run_request(True, "Test case 3: expected result: False - result: {exception_result}"))

```

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "homeassistant"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2024.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-25305"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347",
      "CWE-940"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-18T19:25:24Z",
    "nvd_published_at": "2025-02-18T19:15:29Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nProblem: Potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries.\n\n## Details\n\nIn the past, `aiohttp-session`/`request` had the parameter `verify_ssl` to control SSL certificate verification. This was a boolean value. In `aiohttp` 3.0, this parameter was deprecated in favor of the `ssl` parameter. Only when `ssl` is set to `None` or provided with a correct configured SSL context the standard SSL certificate verification will happen.\n\nWhen migrating integrations in Home Assistant and libraries used by Home Assistant, in some cases the `verify_ssl` parameter value was just moved to the new `ssl` parameter. This resulted in these integrations and 3rd party libraries using `request.ssl = True`, which unintentionally turned off SSL certificate verification and opened up a man-in-the-middle attack vector.\n\nExample:\nhttps://github.com/home-assistant/core/blob/c4411914c2e906105b765c00af5740bd0880e946/homeassistant/components/discord/notify.py#L84\n\nWhen you scan the libraries used by the integrations in Home Assistant, you will find more issues like this.\n\nThe general handling in Home Assistant looks good, as `homeassistant.helpers.aoihttp_client._async_get_connector` handles it correctly.\n\n## PoC\n\n1. Check that expired.badssl.com:443 gives an SSL error in when connecting with curl or browser.\n2. Add the integration adguard with the setting `host=expired.badssl.com`, `port=443`, `use-ssl=true`, `verify-ssl=true`.\n3. Check the logs - you get a HTTP 403 response.\n\nExpected behavior:\n1. The integration log shows an `ssl.SSLCertVerificationError`.\n\nThe following code shows the problem with `ssl=True`. No exception is raised when `ssl=True` (Python 3.11.6).\n\n```\nimport asyncio\nfrom ssl import SSLCertVerificationError\n\nimport aiohttp\n\nBAD_URL = \"https://expired.badssl.com/\"\n\n\nasync def run_request(verify_ssl, result_placeholder: str):\n    async with aiohttp.ClientSession() as session:\n        exception_fired: bool = False\n        try:\n            await session.request(\"OPTIONS\", BAD_URL, ssl=verify_ssl)\n        except SSLCertVerificationError:\n            exception_fired = True\n        except Exception as error:\n            print(error)\n        else:\n            exception_fired = False\n        print(result_placeholder.format(exception_result=exception_fired))\n\n\n# Case 1: ssl=False --\u003e expected result: No exception\nasyncio.run(run_request(False, \"Test case 1: expected result: False - result: {exception_result}\"))\n\n# Case 2: ssl=None --\u003e expected result: Exception\nasyncio.run(run_request(None, \"Test case 2: expected result: True - result: {exception_result}\"))\n\n# Case 3: ssl=True --\u003e expected result: No Exception\nasyncio.run(run_request(True, \"Test case 3: expected result: False - result: {exception_result}\"))\n\n```",
  "id": "GHSA-m3pm-rpgg-5wj6",
  "modified": "2025-02-18T22:51:42Z",
  "published": "2025-02-18T19:25:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/home-assistant/core/security/advisories/GHSA-m3pm-rpgg-5wj6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25305"
    },
    {
      "type": "WEB",
      "url": "https://github.com/home-assistant/core/commit/8c6547f1b64f4a3d9f10090b97383353c9367892"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/home-assistant/core"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Home Assistant does not correctly validate SSL for outgoing requests in core and used libs"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.