openHAB 2.5.x Patch Releases

Quote from the Security Policy:

As the currently officially available version is 2.5.x, security patches will be considered for it, depending on their severity.

Lack of AAA authentication is very severe. Unauthenticated users are free to add, delete, & manage Items, Things, & Rules both through the WebUI and the REST API. If these are not vulnerabilities, then neither is CVE-2020-5242.

1 Like

Then submit an issue through the security email. But the lack of auth and auth isn’t something new. An issue has been open for it since before OH 2.0 was released. There were at least two aborted attempts to add it over the years IIRC, both of which ran into some sort of problem and failed. Adding this will almost certainly be a breaking change. Given the history I just don’t see how it will be feasible to add it to OH 2.5, no matter how much you want it.

But as with everything, code speaks louder than forum postings. You or anyone else is welcome to make a third attempt at adding it to OH 2.5 without breaking too much if you can.

Not every security vulnerability gets fixed and if they do get fixed, they don’t necessarily get fixed for all versions of the software.

I myself have a security issue that I submitted yesterday that in all likelihood won’t be fixed in 2.5. There appears to be no way to fix it in 2.5, but already made/planed for changes to OH 3 will address it.

Hi guys,

After exec binding upgrade it does not work for me.

I am running openHAB on RPi and:

echo $OPENHAB_CONF
/etc/openhab2

I have created folder ‘misc’ in /etc/openhab2 and then ‘exec.whitelist’ in it.
In ‘exec.whitelist’ I put:

/home/openhabian/script.sh

In exec.things I have:

Thing exec:command:command1 [ command="/home/openhabian/script.sh" ]

When running it from sitemap I got en error:

[ng.exec.internal.handler.ExecHandler] - Tried to execute '/home/openhabian/script.sh', but it is not contained in whitelist.

What I am doing wrong? How to troubleshoot it? I have only try to reboot openHAB but it does not change anything. It was working before the upgrade.

I agree, so actually CVE-2020-5242 was probably an over-reaction here as clearly any access to the REST API exposes everything and must not be allowed to unauthorized people. We clearly state so in https://www.openhab.org/docs/installation/security.html#authentication-and-access-control.

Note: As @rlkoshak mentions, for openHAB 3 authentication&authorization is clearly on the roadmap. It won’t be shipped without. There’s just no way to retrofit it on 2.5.x.

2 Likes

Well, at least we have security ‘front and center’ for a broader audience again (as far as that was needed in the first place) and I suppose it was a good way to announce and test the Security Policy. :smile:

But seriously, I think it is a good thing that the Foundation is making these steps and IMHO the openHAB future is starting to look brighter and brighter! (Can’t wait to test OH 3 snapshots…)

Hi @kristofejro, have a look at Security limitations in 2.5.2 exec binding for some ideas.

What worked for me is that I had to “touch” the $OPENHAB_CONF/misc/exec.whitelist file after openhab had restarted. I have to do this on every restart.

Thanks @dopey.
It was probably CRLF issue.

Then why does the Security Policy strongly imply severe vulnerabilities will be fixed? You cannot secure house with front and back doorways but no doors!

1 Like

It will be fixed, in OH 3.

Does that satisfy this part of the policy though?

As the currently officially available version is 2.5.x, security patches will be considered for it, depending on their severity

It was considered. “Considered” doesn’t mean “guaranteed”. It doesn’t mean “must be ported.” It doesn’t mean “has to happen.”

Will check that.

The point I think is that the impact of malicious users controlling your things because they have unrestricted access to them can be seen as less severe as having crypto miners or botnet software installed on your machine without your knowledge because the exec add-ons offered easy arbitrary remote command execution as a feature. Hence CVE-2020-5242, and an unusual patch release with an unfortunate breaking change - because the disclosure couldn’t go out without a fix or contingency plan.

1 Like

No it isn’t.

1 Like

Isn’t it possible to secure access within Jetty?

http://whitehorseplanet.org/gate/topics/documentation/public/howto_jetty_basic_authentication.html

1 Like

Yes, it is severe when when running OH as root, which some people do. However, it’s great to have a security policy in place.

However, I recommend to have an API-gateway together with an identity management in front of pretty much every API-build-backend. But that’s of course nothing for the ordinary home-user. That’s the reason why IT-security IMHO ends at the front door for most of us.

This is akin to claiming it is a severe security issue when someone leaves a pile of cash on their front porch. It isn’t.

4 Likes

If youre leaving cash on the front door, please let me know your address :stuck_out_tongue:

4 Likes

If you say so, sir.

Maybe I’m thinking wrong, but Openhab is primarily a system for a smart house, isn’t it? How many people do you have in your house who have the intent and ability to manipulate your server? I think you should invest more time to make the system more user-friendly than manipulation-proof. Bring a surface that everyone can work with, such as the “Next generation design” project by David. This had so much potential and was destroyed by stupid arguments. Or also important things like the blue tooth binding, which was terribly neglected. Instead, the Tesla binding is celebrated. What are the priorities? If the collaboration and the focus on user-friendly operation do not change soon, then it is not surprising that more and more people choose the iobroker.

2 Likes