Hacking Linux servers remotely with this Pi-hole vulnerability

A network penetration testing researcher has revealed the presence of a medium-severity vulnerability in Pi-hole, a network-based content filtering solution quite popular among users concerned about their online privacy.

Pi-hole is an ad-blocking application and Linux-based website tracking tools that is designed to run on embedded devices, such as Raspberry Pi. This technology provides Domain Name System (DNS) protection that keeps user devices away from unwanted content without the need to install any additional client-side software.

Pi-hole also offers an integrated Dynamic Host Configuration Protocol (DHCP) server, along with a web-based user interface that allows the configuration of this server, network penetration testing specialists mention.

Network penetration testing researcher Francois Renaud-Philippon discovered a remote code execution (RCE) vulnerability whereby an authenticated user in this product’s web portal could compromise the underlying server. The flaw affects Pi-hol version 4.3.2 and earlier, and received the CVE-2020-8816 key on the Common Vulnerability Scoring System (CVSS).

The researcher presented the report on this security inconvenience last month, so the developers of the tool had the time to release a security update.

The risk of exploitation is moderate/low, as it is not possible to abuse this vulnerability remotely. However, users who have not yet upgraded their Pi-hole deployment must install the latest version (v4.3.3).

While the possibility of exploiting this vulnerability is truly small, the cybersecurity community considers this to be an interesting finding, as a proof of concept was even launched along with the report. 

According to the International Institute of Cyber Security (IICS), Pi-hole is a technology widely popular with developers and Internet users concerned about the security of their browsing data; using this tool, it is possible to block thousands of ads and tracking domains on a home or small business network.

Arguably, Pi-hole works similarly to a firewall, which means that ads and tracking domains are blocked for all devices behind the tool; this may include smart TVs, smartphones and other computers without native ad blocking software.