Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                     WPAD Name Collision Vulnerability
                                24 May 2016


        AusCERT Security Bulletin Summary

Product:           Web Proxy Auto-Discovery
Publisher:         US-CERT
Operating System:  Windows
                   OS X
                   Linux variants
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Mitigation

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Alert (TA16-144A)

WPAD Name Collision Vulnerability

Original release date: May 23, 2016

Systems Affected

Windows, OS X, Linux systems, and web browsers with WPAD enabled


Web Proxy Auto-Discovery (WPAD) Domain Name System (DNS) queries that are 
intended for resolution on private or enterprise DNS servers have been 
observed reaching public DNS servers [1 (link is external)]. In combination 
with the New generic Top Level Domain (gTLD) programs incorporation of 
previously undelegated gTLDs for public registration, leaked WPAD queries 
could result in domain name collisions with internal network naming schemes 
[2] [3]. Collisions could be abused by opportunistic domain registrants to 
configure an external proxy for network traffic, allowing the potential for 
man-in-the-middle (MitM) attacks across the Internet.


WPAD is a protocol used to ensure all systems in an organization utilize the 
same web proxy configuration. Instead of individually modifying configurations
on each device connected to a network, WPAD locates a proxy configuration file
and applies the configuration automatically.

The use of WPAD is enabled by default on all Microsoft Windows operating 
systems and Internet Explorer browsers. WPAD is supported but not enabled by 
default on Mac and Linux-based operating systems, as well as, Safari, Chrome,
and Firefox browsers.

With the New gTLD program, previously undelegated gTLD strings are now being 
delegated for public domain name registration [3]. These strings may be used 
by private or enterprise networks, and in certain circumstances, such as when
a work computer is connected from a home or external network, WPAD DNS queries
may be made in error to public DNS servers. Attackers may exploit such leaked
WPAD queries by registering the leaked domain and setting up MitM proxy 
configuration files on the Internet.


Leaked WPAD queries could result in domain name collisions with internal 
network naming schemes. If an attacker registers a domain to answer leaked 
WPAD queries and configures a valid proxy, there is potential to conduct 
man-in-the-middle (MitM) attacks across the Internet.

The WPAD vulnerability is significant to corporate assets such as laptops. In
some cases these assets are vulnerable even while at work but observations 
indicate that most assets become vulnerable when used outside an internal 
network (e.g. home networks, public Wi-Fi networks).


US-CERT encourages users and network administrators to implement the following
recommendations to provide a more secure and efficient network infrastructure:

Consider disabling automatic proxy discovery/configuration in browsers and 
operating systems during device setup if it will not be used for internal 

Consider using a fully qualified domain name (FQDN) from global DNS as the 
root for enterprise and other internal namespace.

Configure internal DNS servers to respond authoritatively to internal TLD 

Configure firewalls and proxies to log and block outbound requests for 
wpad.dat files.

Identify expected WPAD network traffic and monitor the public namespace or 
consider registering domains defensively to avoid future name collisions.

File a report with ICANN if your system is suffering demonstrably severe harm
as a consequence of name collision by visiting 


[1] Verisign MitM Attack by Name Collision: Cause Analysis and Vulnerability 
Assessment in the New gTLD Era (link is external)

[2] ICANN Name Collision Resources & Information

[3] ICANN New gTLDs

[4] US-CERT Controlling Outbound DNS Access


May 23, 2016: Initial Release

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967