#AccèsDirect aux paramédicaux recommandé par la #HAS malgré l'absence de décret d'application et complexité de mise en œuvre...
Valletoux dit que les décrets vont sortir sur #IPA, réécriture du décret pour les #IVG par les sage-femmes, ... #MSP au coeur des rendez-vous de #prévention prévu depuis peu par la loi. #Coordination dès le début des projets de MSP qui nécessite un financement qui arrive encore trop tardivement ! Valletoux découvre... #AVEC2024
Today's #Security Blunder Shout-Out goes to #HomeAssistant. The latest version (and it's first point release) reinvents the old notion of "trusted networks" to save attackers the effort of enumerating user accounts.
It comes with a fancy new login screen, for "local users only", that shows all of the user accounts. It cannot be disabled. It cannot be configured. Accounts cannot be excluded. It applies to every connection that HA thinks is local. There are no tunables, no logs, no options. Just a decision tree hidden inside a black box. ("Use x-forwarded-for and these two options" is great, if it works. 100% of my other endpoints are parsing the header successfully...)
There are no tools to inspect the incoming requests, so "just fix the proxy" is useless advice. There are no options to disable it, so even if you split local/remote successfully it will still apply to local.
Welcome back to 1998, when you could pretend your local network was somehow not connected to anything..
To confirm everything I duplicated the setup with a new ExternalName service and ingress, pointed at a httpbin docker container.
curl -vvv https://ingress-here/headers?show_env=1 shows both X-Forwarded-For and X-Real-Ip. That puts the error on the HA side until proven otherwise. Except there are no diagnostic tools, so I guess I'll keep going..
I'm increasingly suspecting @homeassistant is just incompetently naive about security. "We're going to expose a bunch of personal info but don't worry, I'm sure it will be fine. Our friend's kid is a security expert and he says the new login page is really pretty."
Remember CVE-2023-27482? An unauthenticated remote exploit described as "install updates and add-ons". Add-ons are just docker containers, and there is a convenient "Ignore Security" button to run them as root with full host access. So the real exploit description is "Remote users could install hostile add-ons and gain full system control". Telling users "it is probably fine" (www.home-assistant.io/blog/2023/03/08/supervisor-security-disclosure/#has-this-vulnerability-been-abused) when they may have completely compromised systems is just unbelievable to me.