-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.1292
                     WPAD Name Collision Vulnerability
                                24 May 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Web Proxy Auto-Discovery
Publisher:         US-CERT
Operating System:  Windows
                   OS X
                   Linux variants
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Mitigation

Original Bulletin: 
   https://www.us-cert.gov/ncas/alerts/TA16-144A

- --------------------------BEGIN INCLUDED TEXT--------------------

Alert (TA16-144A)

WPAD Name Collision Vulnerability

Original release date: May 23, 2016

Systems Affected

Windows, OS X, Linux systems, and web browsers with WPAD enabled

Overview

Web Proxy Auto-Discovery (WPAD) Domain Name System (DNS) queries that are 
intended for resolution on private or enterprise DNS servers have been 
observed reaching public DNS servers [1 (link is external)]. In combination 
with the New generic Top Level Domain (gTLD) programs incorporation of 
previously undelegated gTLDs for public registration, leaked WPAD queries 
could result in domain name collisions with internal network naming schemes 
[2] [3]. Collisions could be abused by opportunistic domain registrants to 
configure an external proxy for network traffic, allowing the potential for 
man-in-the-middle (MitM) attacks across the Internet.

Description

WPAD is a protocol used to ensure all systems in an organization utilize the 
same web proxy configuration. Instead of individually modifying configurations
on each device connected to a network, WPAD locates a proxy configuration file
and applies the configuration automatically.

The use of WPAD is enabled by default on all Microsoft Windows operating 
systems and Internet Explorer browsers. WPAD is supported but not enabled by 
default on Mac and Linux-based operating systems, as well as, Safari, Chrome,
and Firefox browsers.

With the New gTLD program, previously undelegated gTLD strings are now being 
delegated for public domain name registration [3]. These strings may be used 
by private or enterprise networks, and in certain circumstances, such as when
a work computer is connected from a home or external network, WPAD DNS queries
may be made in error to public DNS servers. Attackers may exploit such leaked
WPAD queries by registering the leaked domain and setting up MitM proxy 
configuration files on the Internet.

Impact

Leaked WPAD queries could result in domain name collisions with internal 
network naming schemes. If an attacker registers a domain to answer leaked 
WPAD queries and configures a valid proxy, there is potential to conduct 
man-in-the-middle (MitM) attacks across the Internet.

The WPAD vulnerability is significant to corporate assets such as laptops. In
some cases these assets are vulnerable even while at work but observations 
indicate that most assets become vulnerable when used outside an internal 
network (e.g. home networks, public Wi-Fi networks).

Solution

US-CERT encourages users and network administrators to implement the following
recommendations to provide a more secure and efficient network infrastructure:

Consider disabling automatic proxy discovery/configuration in browsers and 
operating systems during device setup if it will not be used for internal 
networks.

Consider using a fully qualified domain name (FQDN) from global DNS as the 
root for enterprise and other internal namespace.

Configure internal DNS servers to respond authoritatively to internal TLD 
queries.

Configure firewalls and proxies to log and block outbound requests for 
wpad.dat files.

Identify expected WPAD network traffic and monitor the public namespace or 
consider registering domains defensively to avoid future name collisions.

File a report with ICANN if your system is suffering demonstrably severe harm
as a consequence of name collision by visiting 
https://forms.icann.org/en/help/name-collision/report-problems.

References

[1] Verisign MitM Attack by Name Collision: Cause Analysis and Vulnerability 
Assessment in the New gTLD Era (link is external)

[2] ICANN Name Collision Resources & Information

[3] ICANN New gTLDs

[4] US-CERT Controlling Outbound DNS Access

Revisions

May 23, 2016: Initial Release

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV0OtrX6ZAP0PgtI9AQL8yw//ZxYBJFWI+X494Hw812YyVPy0v+EpluN3
yIROPmfNX2vMIUWe/Il2TIJoui1VSmXzAJauEHUHBzfhyyCyBRy/CPV+1jwRjEB4
ORFI6vJcbPwzYUET5XL7bNfmdTcCr80QO7HSSF3joRQOb2VfRR0kMMCQUxmCdHk7
YyoydCsS4EYph6REdK/b7IQLm1py/JcMI1DfvMEy6KTc1+7jpEKc9FWNsc1TyPbY
hBFWVaP8MUdbzyjwMuxC+7o3/agw4CvmnPX/tWWe6b+a8Oy0BfbFmhXBgCwlrmtS
AQFovijMtCBgSuoKFySG6g+ntRHF2U283+MyindewKTxbTiSoWFNoP+2C4ETRy3T
H8eVxfI7jfIr+FAJ/aImpqntzFJ4FvVzLcKFO9iz42PAGYoqeOa0HE+9XxQN1beP
lsEPw8ui+8yXU3hkubXg886IgHuiUwB/b0wG3BxKP+e1Hdo55tFTfQTr/VPQsBfg
DApW2QVKMKHcpMsk1BctW8gTXIQrFn/Os4kCZcfPv7qN7l2FRLSmV4GEB7eN9iQN
mTNmRUpq1tacTO5spnvypbh2+cnciA/hs6uw6TTBEdelFmv/wF8/4WQBniRx7rKb
0VznN6mQ6zecel6n/cU46RO+O969is9ZM6dBsfqzFAiZ576MyNU9gmDKydV+Opkq
dMzx67q/Bys=
=DP4p
-----END PGP SIGNATURE-----