Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.1292
WPAD Name Collision Vulnerability
24 May 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Web Proxy Auto-Discovery
Publisher: US-CERT
Operating System: Windows
OS X
Linux variants
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Resolution: Mitigation
Original Bulletin:
https://www.us-cert.gov/ncas/alerts/TA16-144A
- --------------------------BEGIN INCLUDED TEXT--------------------
Alert (TA16-144A)
WPAD Name Collision Vulnerability
Original release date: May 23, 2016
Systems Affected
Windows, OS X, Linux systems, and web browsers with WPAD enabled
Overview
Web Proxy Auto-Discovery (WPAD) Domain Name System (DNS) queries that are
intended for resolution on private or enterprise DNS servers have been
observed reaching public DNS servers [1 (link is external)]. In combination
with the New generic Top Level Domain (gTLD) programs incorporation of
previously undelegated gTLDs for public registration, leaked WPAD queries
could result in domain name collisions with internal network naming schemes
[2] [3]. Collisions could be abused by opportunistic domain registrants to
configure an external proxy for network traffic, allowing the potential for
man-in-the-middle (MitM) attacks across the Internet.
Description
WPAD is a protocol used to ensure all systems in an organization utilize the
same web proxy configuration. Instead of individually modifying configurations
on each device connected to a network, WPAD locates a proxy configuration file
and applies the configuration automatically.
The use of WPAD is enabled by default on all Microsoft Windows operating
systems and Internet Explorer browsers. WPAD is supported but not enabled by
default on Mac and Linux-based operating systems, as well as, Safari, Chrome,
and Firefox browsers.
With the New gTLD program, previously undelegated gTLD strings are now being
delegated for public domain name registration [3]. These strings may be used
by private or enterprise networks, and in certain circumstances, such as when
a work computer is connected from a home or external network, WPAD DNS queries
may be made in error to public DNS servers. Attackers may exploit such leaked
WPAD queries by registering the leaked domain and setting up MitM proxy
configuration files on the Internet.
Impact
Leaked WPAD queries could result in domain name collisions with internal
network naming schemes. If an attacker registers a domain to answer leaked
WPAD queries and configures a valid proxy, there is potential to conduct
man-in-the-middle (MitM) attacks across the Internet.
The WPAD vulnerability is significant to corporate assets such as laptops. In
some cases these assets are vulnerable even while at work but observations
indicate that most assets become vulnerable when used outside an internal
network (e.g. home networks, public Wi-Fi networks).
Solution
US-CERT encourages users and network administrators to implement the following
recommendations to provide a more secure and efficient network infrastructure:
Consider disabling automatic proxy discovery/configuration in browsers and
operating systems during device setup if it will not be used for internal
networks.
Consider using a fully qualified domain name (FQDN) from global DNS as the
root for enterprise and other internal namespace.
Configure internal DNS servers to respond authoritatively to internal TLD
queries.
Configure firewalls and proxies to log and block outbound requests for
wpad.dat files.
Identify expected WPAD network traffic and monitor the public namespace or
consider registering domains defensively to avoid future name collisions.
File a report with ICANN if your system is suffering demonstrably severe harm
as a consequence of name collision by visiting
https://forms.icann.org/en/help/name-collision/report-problems.
References
[1] Verisign MitM Attack by Name Collision: Cause Analysis and Vulnerability
Assessment in the New gTLD Era (link is external)
[2] ICANN Name Collision Resources & Information
[3] ICANN New gTLDs
[4] US-CERT Controlling Outbound DNS Access
Revisions
May 23, 2016: Initial Release
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV0OtrX6ZAP0PgtI9AQL8yw//ZxYBJFWI+X494Hw812YyVPy0v+EpluN3
yIROPmfNX2vMIUWe/Il2TIJoui1VSmXzAJauEHUHBzfhyyCyBRy/CPV+1jwRjEB4
ORFI6vJcbPwzYUET5XL7bNfmdTcCr80QO7HSSF3joRQOb2VfRR0kMMCQUxmCdHk7
YyoydCsS4EYph6REdK/b7IQLm1py/JcMI1DfvMEy6KTc1+7jpEKc9FWNsc1TyPbY
hBFWVaP8MUdbzyjwMuxC+7o3/agw4CvmnPX/tWWe6b+a8Oy0BfbFmhXBgCwlrmtS
AQFovijMtCBgSuoKFySG6g+ntRHF2U283+MyindewKTxbTiSoWFNoP+2C4ETRy3T
H8eVxfI7jfIr+FAJ/aImpqntzFJ4FvVzLcKFO9iz42PAGYoqeOa0HE+9XxQN1beP
lsEPw8ui+8yXU3hkubXg886IgHuiUwB/b0wG3BxKP+e1Hdo55tFTfQTr/VPQsBfg
DApW2QVKMKHcpMsk1BctW8gTXIQrFn/Os4kCZcfPv7qN7l2FRLSmV4GEB7eN9iQN
mTNmRUpq1tacTO5spnvypbh2+cnciA/hs6uw6TTBEdelFmv/wF8/4WQBniRx7rKb
0VznN6mQ6zecel6n/cU46RO+O969is9ZM6dBsfqzFAiZ576MyNU9gmDKydV+Opkq
dMzx67q/Bys=
=DP4p
-----END PGP SIGNATURE-----