Attack Chain

1. An unauthenticated attacker sends a crafted HTTP request to the /hacsfiles/ endpoint with a path traversal sequence in the URL.
2. The vulnerable application fails to properly sanitize the input, allowing the attacker to traverse the file system.
3. The attacker targets the .storage/auth file, which contains sensitive user credentials and refresh tokens.
4. The application reads and returns the contents of the targeted file to the attacker.
5. The attacker extracts user credentials and refresh tokens from the obtained .storage/auth file.
6. The attacker uses the extracted information to craft valid JWT tokens.
7. The attacker authenticates to the Home Assistant instance using the crafted JWT tokens.
8. The attacker gains administrative access to the Home Assistant instance, allowing full control over connected devices and configurations.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to gain administrative control over Home Assistant instances. This can lead to unauthorized access to and manipulation of connected smart home devices, exposure of sensitive user data, and potential disruption of home automation systems. The impact ranges from privacy violations and service disruption to complete compromise of the affected smart home environment. Given the widespread use of Home Assistant, a successful attack could affect a significant number of users.

Recommendation

• Deploy the Sigma rule Detect HACS Path Traversal Attempt to detect requests with path traversal sequences targeting the /hacsfiles/ endpoint.
• Apply input validation and sanitization to the /hacsfiles/ endpoint to prevent directory traversal attacks, addressing CVE-2021-47942.
• Monitor web server logs for suspicious activity related to the /hacsfiles/ endpoint, as logged by the “webserver” category.
• Upgrade to a patched version of Home Assistant Community Store (HACS) that addresses the path traversal vulnerability.