The Harmless Pi-Hole Bug
A bug bounty hunter found a minor vulnerability in Pi-hole's api.php file, allowing unauthenticated changes to CPU temperature display. The issue was acknowledged but not deemed significant; a fix was accepted.
Read original article
A bug bounty hunter recently explored a vulnerability in the Pi-hole software, an open-source ad blocker that functions as a DNS server. The investigation focused on the api.php file, which allows users to modify settings without proper authentication checks. The researcher discovered that while most files implemented security measures, api.php contained an endpoint that could execute a command to change the CPU temperature format displayed on the status page. Although this vulnerability was deemed inconsequential, the researcher reported it to the Pi-hole team, who acknowledged it but did not classify it as a significant security issue. The maintainers indicated that the flaw would be addressed in a future version. The researcher subsequently submitted a pull request to enhance security by adding an authentication check, which was accepted. The vulnerability has been assigned CVE-2024-44069, although it is currently marked as disputed due to differing opinions on its severity. This experience reinforced the researcher's appreciation for the Pi-hole project and sparked further interest in source code review.
- The researcher identified a minor vulnerability in the Pi-hole software's api.php file.
- The vulnerability allowed unauthenticated users to change the CPU temperature display format.
- The Pi-hole team acknowledged the issue but did not consider it a significant security risk.
- The researcher contributed a fix that was accepted into the project's development branch.
- The vulnerability has been assigned a CVE number but is marked as disputed.
Related
The Dirty Pipe Vulnerability
The Dirty Pipe Vulnerability (CVE-2022-0847) in Linux kernel versions since 5.8 allowed unauthorized data overwriting in read-only files, fixed in versions 5.16.11, 5.15.25, and 5.10.102. Discovered through CRC errors in log files, it revealed systematic corruption linked to ZIP file headers due to a kernel bug in Linux 5.10. The bug's origin was pinpointed by replicating data transfer issues between processes using C programs, exposing the faulty commit. Changes in the pipe buffer code impacted data transfer efficiency, emphasizing the intricate nature of kernel development and software component interactions.
The weirdest QNX bug I've ever encountered
The author encountered a CPU usage bug in a QNX system's 'ps' utility due to a 15-year-old bug. Debugging revealed a race condition, leading to code modifications and a shift towards open-source solutions.
Dev rejects CVE severity, makes his GitHub repo read-only
The 'ip' project's developer, Fedor Indutny, made the GitHub repository read-only due to a disputed CVE report (CVE-2023-42282) about 'node-ip' misidentifying private IP addresses. This incident underscores challenges with inexperienced CVE filings.
OpenSSL bug exposed up to 255 bytes of server heap and existed since 2011
CVE-2024-5535 is a historical OpenSSL vulnerability allowing buffer overreads, affecting Python and Node.js versions up to 3.9 and 9, respectively. Users should review usage of `SSL_select_next_proto`.
Our Audit of Homebrew
Trail of Bits audited Homebrew, identifying non-critical security issues like sandbox escapes and unauthorized modifications. Risks in CI/CD workflows could expose credentials, highlighting the need for improved security practices.
7 commentsThis is just generating CVE numbers for the sake of it.
The bug here is that unauthenticated users can change a setting that only an administrator should be able to. The maintainers acknowledged the bug and accepted a patch to fix it.
Is changing the temperature unit shown on a dashboard a serious problem? No. But it is a problem and one that could be classified as a security issue.
What's the point of the CVE assignment? Well it creates a public record of this flaw and helps Pi-hole administrators make their own decisions (patch / ignore). It also puts the issue in the hands of other security researchers. For example, is there a possibility of using this vulnerability to conduct a DoS attack? I didn't test this and have moved on to other things but others can.
Setting aside that the vulnerability doesn't actually allow that, isn't this potentially a Spectre / Meltdown vulnerability? This is an unprotected endpoint that conditionally executes code taken from user input. If the branch predictor can be trained to speculatively execute arbitrary code from the input, information could be extracted via endpoint timing using a similar methodology to Spectre or Meltdown, right?
Related
The Dirty Pipe Vulnerability
The Dirty Pipe Vulnerability (CVE-2022-0847) in Linux kernel versions since 5.8 allowed unauthorized data overwriting in read-only files, fixed in versions 5.16.11, 5.15.25, and 5.10.102. Discovered through CRC errors in log files, it revealed systematic corruption linked to ZIP file headers due to a kernel bug in Linux 5.10. The bug's origin was pinpointed by replicating data transfer issues between processes using C programs, exposing the faulty commit. Changes in the pipe buffer code impacted data transfer efficiency, emphasizing the intricate nature of kernel development and software component interactions.
The weirdest QNX bug I've ever encountered
The author encountered a CPU usage bug in a QNX system's 'ps' utility due to a 15-year-old bug. Debugging revealed a race condition, leading to code modifications and a shift towards open-source solutions.
Dev rejects CVE severity, makes his GitHub repo read-only
The 'ip' project's developer, Fedor Indutny, made the GitHub repository read-only due to a disputed CVE report (CVE-2023-42282) about 'node-ip' misidentifying private IP addresses. This incident underscores challenges with inexperienced CVE filings.
OpenSSL bug exposed up to 255 bytes of server heap and existed since 2011
CVE-2024-5535 is a historical OpenSSL vulnerability allowing buffer overreads, affecting Python and Node.js versions up to 3.9 and 9, respectively. Users should review usage of `SSL_select_next_proto`.
Our Audit of Homebrew
Trail of Bits audited Homebrew, identifying non-critical security issues like sandbox escapes and unauthorized modifications. Risks in CI/CD workflows could expose credentials, highlighting the need for improved security practices.