Sinkhole far from sunk by nonetheless cool web exploit
A security researcher has uncovered a neat – though far from critically dangerous – security vulnerability in Pi-hole, the network-based content filtering technology that’s popular with privacy-conscious web users.
Pi-hole offers a Domain Name System (DNS) sinkhole that protects devices from unwanted content without the need to install any client-side software.
The technology also offers a built-in Dynamic Host Configuration Protocol (DCHP) server, along with a web-based user interface that allows configuration of this server.
Security researcher François Renaud-Philippon discovered a remote code execution (RCE) vulnerability that meant an authenticated web portal user could hack into the underlying server.
The flaw (CVE-2020-8816) affects Pi-hole version 4.3.2 and earlier.
Pi vulnerability squared off
Renaud-Philippon disclosed the bug to developers of the Pi-hole last month, and facilitated the development of a patch.
Users of the Pi-hole who haven’t already updated their systems would be well advised to apply version 4.3.3, even though the attack fails to lend itself to remote exploitation.
Despite the fact that the possibility of exploitation is quite low, the security flaw is still an interesting find, as illustrated by a comprehensive write-up of the vulnerability and accompanying proof-of-concept exploit.
Pi-hole is a Linux-based advertisement and internet tracker blocking application that’s designed to run on embedded devices, such as the Raspberry Pi, or a network gateway PC running Linux.
The technology, which is popular with developers and privacy-conscious consumers, blocks advertisements and tracking domains for all the devices behind it on a home or small office network.
Pi-hole functions similarly to a network firewall, meaning that advertisements and tracking domains are blocked for all devices behind it, potentially including smart TVs and smartphones that by themselves lack native ad blocking software.
YOU MIGHT ALSO LIKE Kr00k exploit tool allows pen testers to probe for WiFi security vulnerability