A network penetration testing researcher has revealed the presence of a medium-severity vulnerability in Pi-hole, a network-based content filtering solution quite popular among users concerned about their online privacy.
Pi-hole is an ad-blocking application and Linux-based website tracking tools that is designed to run on embedded devices, such as Raspberry Pi. This technology provides Domain Name System (DNS) protection that keeps user devices away from unwanted content without the need to install any additional client-side software.
Pi-hole also offers an integrated Dynamic
Host Configuration Protocol (DHCP) server, along with a web-based user
interface that allows the configuration of this server, network penetration
testing specialists mention.
Network penetration testing researcher Francois
Renaud-Philippon discovered a remote code execution (RCE) vulnerability
whereby an authenticated user in this product’s web portal could compromise the
underlying server. The flaw affects Pi-hol version 4.3.2 and earlier, and
received the CVE-2020-8816 key on the Common Vulnerability Scoring System (CVSS).
The researcher presented the report on this
security inconvenience last month, so the developers of the tool had the time
to release a security update.
The risk of exploitation is moderate/low, as it
is not possible to abuse this vulnerability remotely. However, users who have
not yet upgraded their Pi-hole deployment must install the latest version
While the possibility of exploiting this
vulnerability is truly small, the cybersecurity community considers this to be
an interesting finding, as a proof of concept was even launched along with the
According to the International Institute of Cyber
Security (IICS), Pi-hole is a technology widely popular with developers
and Internet users concerned about the security of their browsing data; using
this tool, it is possible to block thousands of ads and tracking domains on a
home or small business network.
Arguably, Pi-hole works similarly to a firewall,
which means that ads and tracking domains are blocked for all devices behind
the tool; this may include smart TVs, smartphones and other computers without
native ad blocking software.