CVE-2024-44069 is a vulnerability affecting Pi-hole versions prior to 6, where the web dashboard's temperature unit setting can be changed by any unauthenticated user via the admin/api.php?setTempUnit= API call. Pi-hole is a popular network-level ad and tracker blocking application that provides a web interface for monitoring and configuration. The vulnerability stems from a lack of authentication enforcement on this specific API endpoint, allowing remote attackers to alter the temperature unit displayed on the dashboard (switching between Celsius, Fahrenheit, or Kelvin) without any credentials. Although the supplier does not consider this a security issue, the ability to modify dashboard settings arbitrarily represents a violation of integrity (CWE-862: Missing Authorization). The CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) indicates that the vulnerability is remotely exploitable over the network with low attack complexity, no privileges or user interaction required, and impacts integrity but not confidentiality or availability. No patches or mitigations have been published at the time of disclosure, and there are no known exploits in the wild. This vulnerability does not directly expose sensitive data or disrupt service but could be used as part of a broader attack chain or to undermine user trust in the dashboard's accuracy.

The primary impact of CVE-2024-44069 is on the integrity of the Pi-hole web dashboard's displayed information. By allowing unauthenticated users to change the temperature unit setting, attackers can cause confusion or mistrust in the dashboard's data presentation. While this does not compromise confidential information or availability of the service, it represents an unauthorized modification of system settings. In environments where Pi-hole is used for network-wide DNS filtering and monitoring, such unauthorized changes could be a vector for social engineering or misdirection attacks. Additionally, this vulnerability highlights a potential security design flaw that might indicate other endpoints could be similarly exposed, increasing the risk of further exploitation. Organizations relying on Pi-hole for network security and monitoring should consider the risk of unauthorized configuration changes and the potential for attackers to leverage this as part of multi-stage attacks.

Until an official patch is released, organizations should consider the following mitigations: 1) Restrict network access to the Pi-hole web interface by limiting it to trusted IP addresses or VPN access only, preventing unauthorized external access to the API endpoint. 2) Implement web application firewall (WAF) rules to detect and block requests to admin/api.php with the setTempUnit parameter from untrusted sources. 3) Monitor Pi-hole logs for unusual or repeated requests to the temperature unit setting endpoint to detect potential exploitation attempts. 4) Review and harden Pi-hole configuration and access controls, ensuring that the dashboard is not exposed to the public internet. 5) Stay informed on vendor updates and apply patches promptly once available. 6) Consider deploying network segmentation to isolate Pi-hole servers from general user networks to reduce attack surface. These steps go beyond generic advice by focusing on access control and monitoring specific to the vulnerable API endpoint.