Plattform
python
Komponente
esphome
Behoben in
2023.12.10
2024.2.1
CVE-2024-27081 describes a Remote Code Execution (RCE) vulnerability within the ESPHome dashboard component. This flaw stems from a path traversal issue in the edit configuration file API, allowing authenticated attackers to manipulate files within the ESPHome configuration directory. The vulnerability impacts versions of ESPHome up to and including 2024.2.0b3, and a fix is available in version 2024.2.1.
An attacker exploiting CVE-2024-27081 can gain remote code execution capabilities on the ESPHome device. This is achieved by leveraging the path traversal vulnerability in the dashboard's configuration file API. By crafting malicious requests, an attacker can read and write files within the ESPHome configuration directory, effectively compromising the device's functionality and potentially gaining control over connected smart home devices. The ability to execute arbitrary code opens the door to a wide range of malicious activities, including data theft, device hijacking, and network intrusion. The impact is particularly concerning given the increasing reliance on ESPHome for managing and automating smart home environments.
CVE-2024-27081 was publicly disclosed on March 1, 2024. There is currently no indication of active exploitation campaigns targeting this vulnerability. Public proof-of-concept (POC) code is not yet widely available, but the vulnerability's nature suggests that it is likely to be exploited once a POC is released. The vulnerability is not currently listed on the CISA KEV catalog.
Home users and small businesses utilizing ESPHome for home automation are particularly at risk. Individuals relying on ESPHome for critical functions, such as security systems or environmental controls, face a heightened level of exposure. Shared hosting environments where ESPHome is deployed could also be impacted, potentially affecting multiple users.
• linux / server:
journalctl -u esphome -f | grep -i "path traversal"• generic web:
curl -I 'http://<esphome_ip>/api/edit_config?file=../../../../etc/passwd' # Attempt path traversal• generic web:
curl -I 'http://<esphome_ip>/api/edit_config?file=/etc/passwd' # Attempt path traversaldisclosure
Exploit-Status
EPSS
4.46% (89% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2024-27081 is to upgrade ESPHome to version 2024.2.1 or later. This version includes a fix that addresses the path traversal vulnerability. If an immediate upgrade is not feasible, consider restricting access to the ESPHome dashboard to trusted users only. Implement strong authentication mechanisms and regularly review user permissions. While a direct WAF rule is difficult to implement, monitoring for unusual file access patterns within the ESPHome configuration directory can provide an early warning sign of potential exploitation. After upgrading, confirm the fix by attempting to access configuration files via the dashboard API and verifying that access is restricted.
Actualice ESPHome a la versión 2024.2.1 o posterior. Esto corrige la vulnerabilidad de escritura arbitraria de archivos en el componente del panel de control. La actualización se puede realizar a través de la interfaz de línea de comandos o mediante la actualización del sistema.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-27081 is a Remote Code Execution vulnerability in the ESPHome dashboard, allowing attackers to potentially execute code on the device.
You are affected if you are using ESPHome versions 2024.2.0b3 or earlier. Upgrade to 2024.2.1 or later to mitigate the risk.
Upgrade ESPHome to version 2024.2.1 or later. This resolves the path traversal vulnerability.
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation raises concerns about potential abuse.
Refer to the official ESPHome security advisory for detailed information and updates: [https://esphome.io/security.html](https://esphome.io/security.html)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.