Day: January 19, 2024

This Week In Security: Gitlab, VMware, And PixeFAIL

January 19, 2024 by 3 Comments

There’s a Gitlab vulnerability that you should probably pay attention to. Tracked as CVE-2023-7028, this issue allows an attacker to specify a secondary email during a the password reset request. Only one email has to match the one on record, but the password reset link gets sent to both emails. Yikes!

What makes this worse is there is already a Proof of Concept (PoC) released, and it’s a trivial flaw. In an HTTP/S post containing the password reset request, just include two email addresses. Thankfully, a fix is already out. Versions 16.7.2, 16.6.4, and 16.5.6 contain this patch, as well as fixes for a flaw that allowed sneaking unauthorized changes into a previously approved merge request, and an issue with Slack and Mattermost where slash commands could be spoofed.

VMware

We don’t want to over-dramatise this vulnerability, but VMware is calling it an emergency. This one affects VMware vRealize and Aria Automation. According to the the CVSS calculator, it’s a low complexity network flaw, but does require at least some privileges. Hopefully more information will come out about this vulnerability, but for now that’s about all we know.

Continue reading “This Week In Security: Gitlab, VMware, And PixeFAIL”

Haier Threatens Legal Action Against Home Assistant Plugin Developer

January 19, 2024 by 109 Comments

Appliance manufacturer Haier has been integrating IoT features into their newer products, and as is so common these days, users are expected to install their “hOn” mobile application to access them. Not satisfied with that limitation, [Andre Basche] reverse engineered the protocol used by the app, and released a Python library and associated Home Assistant plugin to interface with a wide array of Haier appliances, which includes brands like Hoover, Candy, GE Appliances and others.

Unfortunately, it looks like his efforts have gotten him into a bit of legal hot water. In an issue recently opened on the project’s GitHub page, [Andre] explains the circumstances and legal options that have led him to consider pulling the repositories completely — mostly due to the cost of mounting a legal defense to the cease & desist from Haier Europe.

What’s ironic here is that Haier has been part of the Connectivity Standard Alliance (CSA) since 2022, whose goal is to ‘promote universal open IoT standards’, including Matter.

It’s possible that a legal defense will be mounted against this C&D from Haier within the coming days. Yet regardless of the outcome here, it remains problematic that these IoT-enabled Haier appliances are connected to the Haier servers. Ideally they would be controlled locally, which is the goal of projects like [Miguel Ángel López Vicente]’s ESP Haier, that uses an ESP8266 to connect Haier AC units to the local WiFi and e.g. HA instances, all without requiring internet access.

This is sadly just one more example of why building your own off-line smart home can be such an incredible struggle.

Thanks to [Ar3itrary] for the tip.

Cute Brass Lunar Lander Is A Neat Little Environment Monitor

January 19, 2024 by 8 Comments

Sometimes form can make a project more attractive than its simple function. [Mohit Bhoite]’s free-form builds are great examples of this. His latest effort is a gorgeous little device that displays environmental readings, and it’s shaped like a lunar lander. (Nitter) Just exquisite!

The device is based around a Seeedstudio XIAO nRF52840 dev board. It’s hooked up to a BME280 sensor which delivers temperature, humidity and air pressure readings from the immediate environment. These readings are displayed on a tiny 128×32 OLED display, along with the current time. Power is via a compact 14250 lithium cell.

So far, so simple, but the real magic is in the housing. It’s a wireframe lunar lander lookalike which [Mohit] put together using brass wire and some careful soldering. It adds so much to the build, which wouldn’t be nearly as attractive if just assembled on a PCB. It’s not his first rodeo, either. He previously built a cute device (Nitter) with an animated face in 2019 using similar techniques; it used a CCS811 gas sensor to detect air quality.

Often, we find ourselves falling most in love with devices that please the eye. [Mohit] certainly demonstrates a great skill in building things that fit this brief. Sometimes, it only takes a bit of thought and careful application of the mind to bring a beautiful aesthetic to your projects, and the results can be most rewarding. Try his Hackaday Supercon talk if you want to learn more. Continue reading “Cute Brass Lunar Lander Is A Neat Little Environment Monitor”