CVE-2024-28247
Published: 27 March 2024
Summary
CVE-2024-28247 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Pi-Hole Pi-Hole. Its CVSS base score is 7.6 (High).
Operationally, ranked in the top 8.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Pi-hole, the open-source DNS sinkhole used for network-wide ad blocking, contains an arbitrary file-read flaw in its adlist update handling. When an authenticated user supplies an adlist URL beginning with "file://", the update routine treats the target as a local file and echoes up to five non-domain lines from that file back to the administrative interface. Because the Pi-hole services run with elevated privileges, this exposure occurs with the permissions of the privileged process rather than the authenticated user's own rights.
An attacker who already possesses a valid Pi-hole administrative account can therefore add a crafted local-file adlist pointing to any readable path on the server (for example /etc/shadow, configuration files, or other sensitive data). The resulting output discloses the selected file contents, satisfying the confidentiality component of the reported CVSS 7.6 vector while also permitting limited integrity and availability impact through subsequent misuse of the obtained information.
The project addressed the issue in release 5.18; the fix is documented in GitHub security advisory GHSA-95g6-7q26-mp9x and the corresponding commit that prevents printing of non-domain lines during local-file updates. The associated EPSS score has remained flat at 0.0714 with no material post-disclosure increase.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-25351
Vulnerability details
The Pi-hole is a DNS sinkhole that protects your devices from unwanted content without installing any client-side software. A vulnerability has been discovered in Pihole that allows an authenticated user on the platform to read internal server files arbitrarily, and…
more
because the application runs from behind, reading files is done as a privileged user.If the URL that is in the list of "Adslists" begins with "file*" it is understood that it is updating from a local file, on the other hand if it does not begin with "file*" depending on the state of the response it does one thing or another. The problem resides in the update through local files. When updating from a file which contains non-domain lines, 5 of the non-domain lines are printed on the screen, so if you provide it with any file on the server which contains non-domain lines it will print them on the screen. This vulnerability is fixed by 5.18.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Audit record review and analysis can detect unauthorized exposure or access to sensitive information.
Defines roles and responsibilities to ensure proper privilege management during configuration changes.
Hunting tracks data exfiltration or unauthorized disclosure of sensitive information as a key threat indicator.
Policy addresses roles, responsibilities, and privilege management to prevent improper privilege assignments.
Access supervision ensures privileges are assigned and managed without improper escalation or retention.
Automated marking applies security attributes to system outputs, making it harder for attackers to exploit unmarked sensitive information leading to unauthorized exposure.
Proper attribute retention and permitted-value enforcement limits unauthorized actors from accessing sensitive information lacking correct labels.
Assigning group/role memberships and access authorizations (privileges) while reviewing accounts addresses improper privilege management.