Executive Summary

This vulnerability exists in Pi-hole FTL versions before 6.6.1, where the dns.interface configuration field accepts newline characters without proper validation.

An attacker who is network-adjacent can exploit this by injecting arbitrary directives into the dnsmasq configuration file generated by Pi-hole FTL.

If the Pi-hole installation has no admin password set (which is the default in many deployments), the attacker can access the configuration API without credentials.

This allows the attacker to inject payloads that enable the built-in DHCP server and execute arbitrary commands on the host when any device requests a DHCP lease.

The injected configuration is saved persistently in /etc/pihole/pihole.toml and survives system restarts.

The vulnerability was fixed in Pi-hole FTL version 6.6.1.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker on the same network to execute arbitrary commands on the host running Pi-hole FTL.

Such command execution can lead to full compromise of the device, unauthorized access to network traffic, and potential disruption of network services.

Additionally, the attacker can enable the built-in DHCP server, potentially causing network misconfigurations or man-in-the-middle attacks.

Because the injected configuration persists across restarts, the impact can be long-lasting until the system is patched or cleaned.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade Pi-hole FTL to version 6.6.1 or later, where the issue has been fixed.

Additionally, set an admin password to restrict access to the configuration API, preventing unauthorized configuration changes.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an attacker to achieve arbitrary command execution on the host by injecting directives into the dnsmasq configuration via the dns.interface field, especially on installations without an admin password.

This could lead to unauthorized access and control over the network device, potentially compromising the confidentiality, integrity, and availability of data processed or stored by the device.

Such unauthorized access and potential data compromise may negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

However, the provided information does not explicitly discuss compliance impacts or specific regulatory considerations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves injection of newline characters into the dns.interface configuration field in Pi-hole FTL versions before 6.6.1, which can be detected by inspecting the /etc/pihole/pihole.toml configuration file for suspicious entries containing newline characters or unexpected directives such as dhcp-script.

To detect if your Pi-hole FTL installation is vulnerable, check the installed version and the contents of the configuration file.

• Check Pi-hole FTL version (should be 6.6.1 or later):
• pihole-FTL version
• Inspect the /etc/pihole/pihole.toml file for suspicious newline injections or unexpected directives:
• grep -P '\n' /etc/pihole/pihole.toml
• cat /etc/pihole/pihole.toml | grep -E 'dhcp-script|\n'

Additionally, monitor network DHCP requests and Pi-hole logs for unexpected DHCP server behavior or script executions.

Useful 0 Not Useful 0