Vulnerability Note VU#598349

Automatic DNS registration and proxy autodiscovery allow spoofing of network services

Original Release date: 05 Sep 2018 | Last revised: 19 Sep 2018

Overview

Automatic DNS registration and autodiscovery functionality provides an opportunity for the misconfiguration of networks, resulting in a loss of confidentiality and integrity of the network if an attacker on the network adds a specially configured proxy device.

Description

The Web Proxy Automatic Discovery (WPAD) protocol is used to automatically provide proxy configuration information to devices on a network. Clients issue a special DHCP request to obtain the information for the proxy configuration, but will fall back on a DNS request to one of several standardized URLs making use of the subdomain name of “wpad” if a DHCP response is unavailable.

An attacker with local area network (LAN) access may be able to add a device with the name “wpad” to the network, which may produce a collision with a standardized WPAD DNS name. Many customer premise home/office routers (including, but not limited to, Google Wifi and Ubiquiti UniFi) automatically register device names as DNS A records on the LAN, which may allow an attacker to utilize a specially named and configured device to act as a WPAD proxy configuration server. The attacker-served proxy configuration can result in the loss of confidentiality and integrity of any network activity by any device that utilizes WPAD.

Other autodiscovery names such as ISATAP may also be exploitable.

Impact

An attacker, with access to the network, could add a malicious device to the network with the name "WPAD". This attacker may be able to utilize DNS auto-registration and auto-discovery to act as a proxy for victims on the network, resulting in a loss of confidentiality and integrity of network activity.

Solution


Home/office LAN/WLAN routers should not auto-register to their local DNS magic names related to auto-configuration and auto-discovery features should not accept mDNS based names as authoritative sources.

Apply the vendor patch.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
ADTRANAffected18 Jul 201804 Sep 2018
MikroTikAffected18 Jul 201819 Sep 2018
SynologyAffected18 Jul 201805 Sep 2018
Ubiquiti NetworksAffected18 Jul 201806 Sep 2018
Ceragon Networks IncNot Affected18 Jul 201822 Aug 2018
Check Point Software TechnologiesNot Affected18 Jul 201820 Jul 2018
Juniper NetworksNot Affected18 Jul 201820 Jul 2018
NLnet LabsNot Affected18 Jul 201823 Jul 2018
3com IncUnknown18 Jul 201818 Jul 2018
8e6 TechnologiesUnknown18 Jul 201818 Jul 2018
A10 NetworksUnknown18 Jul 201818 Jul 2018
ACCESSUnknown18 Jul 201818 Jul 2018
Actelis NetworksUnknown18 Jul 201818 Jul 2018
ActiontecUnknown18 Jul 201818 Jul 2018
aep NETWORKSUnknown18 Jul 201818 Jul 2018
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base 0.0 AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal 0.0 E:ND/RL:ND/RC:ND
Environmental 0.0 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Credit

This attack was found, tested and reported by Ossi Salmi, Mika Seppänen, Marko Laakso and Kasper Kyllönen of Arctic Security. We asked help of Jussi Eronen and Iikka Sovanto of NCSC-FI in reaching out the vendor representatives.

This document was written by Laurie Tyzenhaus and Garret Wasserman.

Other Information

  • CVE IDs: Unknown
  • Date Public: 05 Sep 2018
  • Date First Published: 05 Sep 2018
  • Date Last Updated: 19 Sep 2018
  • Document Revision: 50

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.