CERT/CC Vulnerability Note VU#598349

Overview

Automatic DNS registration and autodiscovery functionality provides an opportunity for the misconfiguration of networks, resulting in a loss of confidentiality and integrity of the network if an attacker on the network adds a specially configured proxy device.

Description

The Web Proxy Automatic Discovery (WPAD) protocol is used to automatically provide proxy configuration information to devices on a network. Clients issue a special DHCP request to obtain the information for the proxy configuration, but will fall back on a DNS request to one of several standardized URLs making use of the subdomain name of “wpad” if a DHCP response is unavailable.

An attacker with local area network (LAN) access may be able to add a device with the name “wpad” to the network, which may produce a collision with a standardized WPAD DNS name. Many customer premise home/office routers (including, but not limited to, Google Wifi and Ubiquiti UniFi) automatically register device names as DNS A records on the LAN, which may allow an attacker to utilize a specially named and configured device to act as a WPAD proxy configuration server. The attacker-served proxy configuration can result in the loss of confidentiality and integrity of any network activity by any device that utilizes WPAD.

Other autodiscovery names such as ISATAP may also be exploitable.

Impact

An attacker, with access to the network, could add a malicious device to the network with the name "WPAD". This attacker may be able to utilize DNS auto-registration and auto-discovery to act as a proxy for victims on the network, resulting in a loss of confidentiality and integrity of network activity.

Solution

Home/office LAN/WLAN routers should not auto-register to their local DNS magic names related to auto-configuration and auto-discovery features should not accept mDNS based names as authoritative sources.

Apply the vendor patch.

Vendor Information

598349

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

ADTRAN Affected

MikroTik Affected

Pi-Hole Affected

Synology Affected

TippingPoint Technologies Inc. Affected

Ubiquiti Networks Affected

Ceragon Networks Inc Not Affected

Check Point Software Technologies Not Affected

Juniper Networks Not Affected

NLnet Labs Not Affected

3com Inc Unknown

8e6 Technologies Unknown

A10 Networks Unknown

ACCESS Unknown

ANTlabs Unknown

ARRIS Unknown

ASP Linux Unknown

AT&T Unknown

AVM GmbH Unknown

Actelis Networks Unknown

Actiontec Unknown

Aerohive Unknown

AhnLab Inc Unknown

AirWatch Unknown

Akamai Technologies, Inc. Unknown

Alcatel-Lucent Enterprise Unknown

Alpha Networks Inc Unknown

Alpine Linux Unknown

Alvarion Unknown

Amazon Unknown

Android Open Source Project Unknown

Aperto Networks Unknown

Appgate Network Security Unknown

Apple Unknown

Arch Linux Unknown

Arista Networks, Inc. Unknown

Aruba Networks Unknown

AsusTek Computer Inc. Unknown

Atheros Communications, Inc. Unknown

Avaya, Inc. Unknown

Barnes and Noble Unknown

Barracuda Networks Unknown

Belkin, Inc. Unknown

Bell Canada Enterprises Unknown

Bit9 Unknown

BlackBerry Unknown

Bloxx Ltd Unknown

Blue Coat Systems Unknown

BlueCat Networks, Inc. Unknown

Blunk Microsystems Unknown

Broadcom Unknown

Brocade Communication Systems Unknown

BullGuard Unknown

CA Technologies Unknown

CMX Systems Unknown

Cambium Networks Unknown

CentOS Unknown

Cirpack Unknown

Cisco Unknown

Comcast Unknown

Command Software Systems Unknown

Contiki OS Unknown

CoreOS Unknown

Cradlepoint Unknown

Cricket Wireless Unknown

D-Link Systems, Inc. Unknown

Debian GNU/Linux Unknown

Dell Unknown

Dell EMC Unknown

Dell SecureWorks Unknown

DesktopBSD Unknown

Deutsche Telekom Unknown

Devicescape Unknown

Digi International Unknown

DragonFly BSD Project Unknown

ENEA Unknown

EfficientIP SAS Unknown

Ericsson Unknown

Espressif Systems Unknown

European Registry for Internet Domains Unknown

Express Logic Unknown

Extreme Networks Unknown

F-Secure Corporation Unknown

F5 Networks, Inc. Unknown

Fastly Unknown

Fedora Project Unknown

Force10 Networks Unknown

Fortinet, Inc. Unknown

Foundry Brocade Unknown

FreeBSD Project Unknown

GFI Software, Inc. Unknown

GNU adns Unknown

GNU glibc Unknown

Geexbox Unknown

Gentoo Linux Unknown

Google Unknown

HP Inc. Unknown

HTC Unknown

HardenedBSD Unknown

Hewlett Packard Enterprise Unknown

Hitachi Unknown

HomeSeer Unknown

Honeywell Unknown

Huawei Technologies Unknown

IBM Corporation (zseries) Unknown

IBM Global Services Unknown

IBM eServer Unknown

IBM, INC. Unknown

INTEROP Unknown

Illumos Unknown

InfoExpress, Inc. Unknown

Infoblox Unknown

Inmarsat Unknown

Intel Unknown

Internet Systems Consortium Unknown

Internet Systems Consortium - DHCP Unknown

Interniche Technologies, inc. Unknown

JH Software Unknown

Joyent Unknown

Kyocera Communications Unknown

LANCOM Systems GmbH Unknown

LG Electronics Unknown

Lancope Unknown

Lantronix Unknown

Lenovo Unknown

Linksys Unknown

Lynx Software Technologies Unknown

Marvell Semiconductors Unknown

McAfee Unknown

MediaTek Unknown

Medtronic Unknown

Men & Mice Unknown

MetaSwitch Unknown

Micro Focus Unknown

Microchip Technology Unknown

Microsoft Unknown

Microsoft Vulnerability Research Unknown

Miredo Unknown

Mitel Networks, Inc. Unknown

MontaVista Software, Inc. Unknown

Motorola, Inc. Unknown

Muonics, Inc. Unknown

NAS4Free Unknown

NEC Corporation Unknown

NETSCOUT Unknown

NIKSUN Unknown

NetBSD Unknown

NetBurner Unknown

Netgear, Inc. Unknown

Nexenta Unknown

Nixu Unknown

Nokia Unknown

Nominum Unknown

OmniTI Unknown

OpenBSD Unknown

OpenConnect Unknown

OpenDNS Unknown

OpenIndiana Unknown

Openwall GNU/*/Linux Unknown

Oracle Corporation Unknown

Oryx Embedded Unknown

PHPIDS Unknown

Paessler Unknown

Pantech North America Unknown

Peplink Unknown

Philips Electronics Unknown

PowerDNS Unknown

Proxim, Inc. Unknown

Pulse Secure Unknown

QLogic Unknown

QNX Software Systems Inc. Unknown

QUALCOMM Incorporated Unknown

Quadros Systems Unknown

Quagga Unknown

Quantenna Communications Unknown

Red Hat, Inc. Unknown

ReefEdge, Inc. Unknown

Riverbed Technologies Unknown

Rocket RTOS Unknown

Roku Unknown

Ruckus Wireless Unknown

SMC Networks, Inc. Unknown

SUSE Linux Unknown

SafeNet Unknown

Samsung Mobile Unknown

Samsung Semiconductor Inc. Unknown

Secure64 Software Corporation Unknown

Sierra Wireless Unknown

Slackware Linux Inc. Unknown

Snort Unknown

SonicWall Unknown

Sonos Unknown

Sony Corporation Unknown

Sophos, Inc. Unknown

Sourcefire Unknown

Sybase Unknown

Symantec Unknown

TCPWave Unknown

TP-LINK Unknown

Technicolor Unknown

The Open Group Unknown

The SCO Group (SCO Unix) Unknown

Tizen Unknown

Toshiba Commerce Solutions Unknown

TrueOS Unknown

Turbolinux Unknown

Ubuntu Unknown

Unisys Unknown

VMware Unknown

Vertical Networks, Inc. Unknown

Wind River Unknown

WizNET Technology Unknown

Xiaomi Unknown

Xilinx Unknown

Zebra Technologies Unknown

Zephyr Project Unknown

ZyXEL Unknown

aep NETWORKS Unknown

dnsmasq Unknown

eero Unknown

gdnsd Unknown

iPass Inc Unknown

m0n0wall Unknown

netsnmp Unknown

netsnmpj Unknown

pfSENSE Unknown

View all 226 vendors View less vendors

CVSS Metrics

Group	Score	Vector
Base	0	AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal	0	E:ND/RL:ND/RC:ND
Environmental	0	CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Acknowledgements

This attack was found, tested and reported by Ossi Salmi, Mika Seppänen, Marko Laakso and Kasper Kyllönen of Arctic Security. We asked help of Jussi Eronen and Iikka Sovanto of NCSC-FI in reaching out the vendor representatives.

This document was written by Laurie Tyzenhaus and Garret Wasserman.

Other Information

CVE IDs:	CVE-2017-11903, CVE-2017-11810, CVE-2017-11793, CVE-2017-11890, CVE-2017-11907, CVE-2017-11906, CVE-2017-11855
Date Public:	2018-09-05
Date First Published:	2018-09-05
Date Last Updated:	2018-10-23 17:34 UTC
Document Revision:	59

Software Engineering Institute

CERT Coordination Center

Automatic DNS registration and proxy autodiscovery allow spoofing of network services

Vulnerability Note VU#598349