Vulnerability Note VU#598349
Automatic DNS registration and proxy autodiscovery allow spoofing of network services
Automatic DNS registration and autodiscovery functionality provides an opportunity for the misconfiguration of networks, resulting in a loss of confidentiality and integrity of the network if an attacker on the network adds a specially configured proxy device.
The Web Proxy Automatic Discovery (WPAD) protocol is used to automatically provide proxy configuration information to devices on a network. Clients issue a special DHCP request to obtain the information for the proxy configuration, but will fall back on a DNS request to one of several standardized URLs making use of the subdomain name of “wpad” if a DHCP response is unavailable.
An attacker with local area network (LAN) access may be able to add a device with the name “wpad” to the network, which may produce a collision with a standardized WPAD DNS name. Many customer premise home/office routers (including, but not limited to, Google Wifi and Ubiquiti UniFi) automatically register device names as DNS A records on the LAN, which may allow an attacker to utilize a specially named and configured device to act as a WPAD proxy configuration server. The attacker-served proxy configuration can result in the loss of confidentiality and integrity of any network activity by any device that utilizes WPAD.
An attacker, with access to the network, could add a malicious device to the network with the name "WPAD". This attacker may be able to utilize DNS auto-registration and auto-discovery to act as a proxy for victims on the network, resulting in a loss of confidentiality and integrity of network activity.
Home/office LAN/WLAN routers should not auto-register to their local DNS magic names related to auto-configuration and auto-discovery features should not accept mDNS based names as authoritative sources.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|ADTRAN||Affected||18 Jul 2018||04 Sep 2018|
|MikroTik||Affected||18 Jul 2018||19 Sep 2018|
|Synology||Affected||18 Jul 2018||05 Sep 2018|
|Ubiquiti Networks||Affected||18 Jul 2018||06 Sep 2018|
|Ceragon Networks Inc||Not Affected||18 Jul 2018||22 Aug 2018|
|Check Point Software Technologies||Not Affected||18 Jul 2018||20 Jul 2018|
|Juniper Networks||Not Affected||18 Jul 2018||20 Jul 2018|
|NLnet Labs||Not Affected||18 Jul 2018||23 Jul 2018|
|3com Inc||Unknown||18 Jul 2018||18 Jul 2018|
|8e6 Technologies||Unknown||18 Jul 2018||18 Jul 2018|
|A10 Networks||Unknown||18 Jul 2018||18 Jul 2018|
|ACCESS||Unknown||18 Jul 2018||18 Jul 2018|
|Actelis Networks||Unknown||18 Jul 2018||18 Jul 2018|
|Actiontec||Unknown||18 Jul 2018||18 Jul 2018|
|aep NETWORKS||Unknown||18 Jul 2018||18 Jul 2018|
CVSS Metrics (Learn More)
This attack was found, tested and reported by Ossi Salmi, Mika Seppänen, Marko Laakso and Kasper Kyllönen of Arctic Security. We asked help of Jussi Eronen and Iikka Sovanto of NCSC-FI in reaching out the vendor representatives.
This document was written by Laurie Tyzenhaus and Garret Wasserman.
- CVE IDs: Unknown
- Date Public: 05 Sep 2018
- Date First Published: 05 Sep 2018
- Date Last Updated: 19 Sep 2018
- Document Revision: 50
If you have feedback, comments, or additional information about this vulnerability, please send us email.