search

RaresAil / homebridge-tp-link-tapo

A platform to implement the tp-link tapo device and Adaptive Lighting for light bulbs
https://www.npmjs.com/package/homebridge-tp-link-tapo
Apache License 2.0
61 stars 5 forks source link

Error sending command: deviceInfo TypeError: RSA _PKCS1_PADDING is no longer supported for private decryption, this can be reverted with --security-revert=CVE-2023-46809 #88

Open chrisdlb1 opened 4 months ago

chrisdlb1 commented 4 months ago

Describe The Bug

Unable to control my Tapo P100. Hardware version: 1.0.0 Firmware version: 1.3.0 Build 20210310 Rel. 63416

Expected behavior

Plug should turn off and on.

Logs

[18/02/2024, 8:04:11 pm] [TPLink Tapo Platform] Error sending command: deviceInfo TypeError: RSA _PKCS1_PADDING is no longer supported for private decryption, this can be reverted with --security-revert=CVE-2023-46809 at Object.privateDecrypt (node:internal/crypto/cipher:79:12) at LegacyAPI.decodeHandshakeKey (/var/lib/homebridge/node _modules/homebridge-tp-link-tapo/src/api/LegacyAPI.ts: 183:30) at LegacyAPI.handshake (/var/lib/homebridge/node_modules/homebridge-tp-link-tapo/src/api/LegacyAPI.ts: 173:30) at processTicksAndRejections (node: internal/process/task_queues: 95:5 ) at LegacyAPI sendSecureRequest (/var/lib/homebridge/node _modules/homebridge-tp-link-tapo/src/api/LegacyAPI.ts:83:7) at LegacyAPI. login (/var/lib/homebridge/node _modules/homebridge-tp-link-tapo/src/api/LegacyAPI.ts:20:22) at TPLink.sendCommandWithNoLock (/var/lib/homebridge/node. _modules/homebridge-tp-link-tapo/src/api/TPLink. ts: 208:9) { code: 'ERR INVALID ARG VALUE' [18/02/2024, 8:04:11 pm] [TPLink Tapo Platform] Failed to get info about: 192.168.0.104 [18/02/2024, 8:04:11 pm] [TPLink Tapo Platform] Retry to connect in 10s: 192.168.0.104

Plugin Config

{ "name": "TPLink Tapo Platform", "email": "", "password": "", "addresses": [ "192.168.0.103", "192.168.0.104", "192.168.0.107", "192.168.0.111", "192.168.0.108", "192.168.0.110", "192.168.0.105", "192.168.0.106" ], "_bridge": { "username": "0E:17:51:23:24:47", "port": 54338 }, "platform": "HomebridgeTPLinkTapo" }

Plugin Version

4.1.0

Homebridge Version

1.7.0

Node.js Version

20.11.1

NPM Version

9.2.0

Operating System

Debian 12, Kernel 6.1.0-18-amd64

3liverse commented 4 months ago

Same issue. I dont know whats going on and can fix it...

giovanijfc commented 4 months ago

Hello, I had this problem when uploading a version of a web application that uses Docker, it seems that on 02/14/2024 a fix was released on the node that does not allow RSA encryption with pkcs1 padding to be used, the simplest way to solve it is to run in the terminal a node --security-revert=CVE-2023-46809 that will remove this security rule...

Remembering that this is an ideal palliative solution and no longer use RSA encryption with pkcs1 padding

https://nodejs.org/en/blog/vulnerability/february-2024-security-releases

Torstentjh commented 4 months ago

Hello, I had this problem when uploading a version(版本) of a web(网络) application(应用) that uses Docker, it seems that on 02/14/2024 a fix(修复) was released on the node that does not allow(允许) RSA encryption with pkcs1 padding to be used(使用), the simplest way to solve(解决) it is to run in the terminal(终端) a node --security(安全)-revert(复归)=CVE-2023-46809 that will remove(删除) this security(安全) rule(规则)...

Remembering that this is an ideal(理想) palliative(姑息性) solution(解决方案) and no longer use RSA encryption with pkcs1 padding

https://nodejs.org/en/blog/vulnerability/february-2024-security-releases

@giovanijfc Hello, could you please tell me in detail how to solve it? I cloned someone else's backend code, using nestjs, and then deployed it to my server. Such a problem also occurred. I first built a Image of the backend service, and then use docker-compose to start this image together with images such as mysql

Tommattin commented 4 months ago

Likewise, I am not a coder by any means and accidentally broke my pi's SD card, resulting in starting back up and now it's 5am and I'm running in circles through this. Ive put in --security-revert=CVE-2023-46809 and yet, command not found. Please, may a god help me in simple terms.

ramita-0 commented 4 months ago

Likewise, I am not a coder by any means and accidentally broke my pi's SD card, resulting in starting back up and now it's 5am and I'm running in circles through this. Ive put in --security-revert=CVE-2023-46809 and yet, command not found. Please, may a god help me in simple terms.

Are you trying to run an app with npm run start and it fails with this error? It was my case, and I fixed it by going to package.json and in the start: node index.js script, I changed it to start: node --security-revert=CVE-2023-46809 index.js

Basically, to whatever thing you are trying to run with node, just add the flag before the file that you will run

Mukundace commented 3 months ago

same here I'm not a coder and tried to add above mentioned "security-revert=CVE-2023-46809" in raspberry terminal but it show "security-revert=CVE-2023-46809 bash: security-revert=CVE-2023-46809: command not found" can somebody explain me how to resolve step by step in layman language

giovanijfc commented 3 months ago

Hello, sorry for the delay in responding, github is not very good with notifications.

Image node without this rule: in your docker file change node:18-alpine to FROM node:18-alpine@sha256:aacbcec05180c1dd8c33dba8a9c42b75dbfdd659aa57617497f1ce2c5d83d889 AS base which references the image before this security addition

If your image is not alpine or node 18 you only need to use an image released before 02/14/2024

Remove security rule from the environment: must run on the ending node security-revert=CVE-2023-46809

Mukundace Tommattin Torstentjh

Mukundace commented 3 months ago

Dear Team Im running home bridge directly on raspberry pi 4 without docker and to be honest im not familiar with coding, would it be possible for you to explain me step by step as in what to do?Thanking in advance RegardsMukund KhandelwalOn 10 Apr 2024, at 1:35 AM, giovanijfc @.> wrote: Hello, sorry for the delay in responding, github is not very good with notifications. Image node without this rule: in your docker file change node:18-alpine to FROM @.:aacbcec05180c1dd8c33dba8a9c42b75dbfdd659aa57617497f1ce2c5d83d889 AS base which references the image before this security addition Remove security rule from the environment: must run on the ending node security-revert=CVE-2023-46809 , your node needs to be updated to a version greater than

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: @.***>

RaresAil commented 3 months ago

Just downgrade to latest node version that worked

sudo hb-service update-node 20.11.0
baggy01 commented 3 months ago

Just downgrade to latest node version that worked

sudo hb-service update-node 20.11.0

Thank you!

GonzaloAlonso commented 2 months ago

I've noticed that error is gone after updating the firmware of the device to 1.5.5 Build 20230927 Rel.40646

Release notes include:

I used the Tapo iOS app to upgrade the firmware