Lucene search

CERTVU:598349

HistorySep 05, 2018 - 12:00 a.m.

Automatic DNS registration and proxy autodiscovery allow spoofing of network services

2018-09-0500:00:00

www.kb.cert.org

713

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

7.6 High

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:H/Au:N/C:C/I:C/A:C

0.947 High

EPSS

Percentile

99.2%

JSON

Overview

Automatic DNS registration and autodiscovery functionality provides an opportunity for the misconfiguration of networks, resulting in a loss of confidentiality and integrity of the network if an attacker on the network adds a specially configured proxy device.

Description

The Web Proxy Automatic Discovery (WPAD) protocol is used to automatically provide proxy configuration information to devices on a network. Clients issue a special DHCP request to obtain the information for the proxy configuration, but will fall back on a DNS request to one of several standardized URLs making use of the subdomain name of “wpad” if a DHCP response is unavailable.

An attacker with local area network (LAN) access may be able to add a device with the name “wpad” to the network, which may produce a collision with a standardized WPAD DNS name. Many customer premise home/office routers (including, but not limited to, Google Wifi and Ubiquiti UniFi) automatically register device names as DNS A records on the LAN, which may allow an attacker to utilize a specially named and configured device to act as a WPAD proxy configuration server. The attacker-served proxy configuration can result in the loss of confidentiality and integrity of any network activity by any device that utilizes WPAD.

Other autodiscovery names such as ISATAP may also be exploitable.

Impact

An attacker, with access to the network, could add a malicious device to the network with the name “WPAD”. This attacker may be able to utilize DNS auto-registration and auto-discovery to act as a proxy for victims on the network, resulting in a loss of confidentiality and integrity of network activity.

Solution

Home/office LAN/WLAN routers should not auto-register to their local DNS magic names related to auto-configuration and auto-discovery features should not accept mDNS based names as authoritative sources.

Apply the vendor patch.

Vendor Information

598349

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

ADTRAN __ Affected

Notified: July 18, 2018 Updated: September 04, 2018

Statement Date: August 30, 2018

Status

Affected

Vendor Statement

ADTRAN has affected products and their advisory will be available at the vendor web site.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

<https://supportforums.adtran.com/docs/DOC-9269>

Synology has released updates to our majority products for fixing the vulnerability:
List of affected products:`` ``<https://www.synology.com/en-global/support/security/Synology_SA_18_53>
- DSM 6.2.1-23824 (<https://www.synology.com/en-us/releaseNote/FS3017>)
- SRM 1.1.7-6941-2 (<https://www.synology.com/en-us/releaseNote/RT2600ac>)

We will publish a security advisory after public disclosure. Thank you.

- Synology Security Team.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23598349 Feedback>).

TippingPoint Technologies Inc. __ Affected

Notified: July 18, 2018 Updated: October 23, 2018

Statement Date: October 08, 2018

Status

Affected

Vendor Statement

`The WPAD attack mechanism is not filterable by TippingPoint.However, the Jscript payload is filterable.

Here is the list of JS vulnerabilities from Project Zero

The WPAD attack mechanism is not filterable by TippingPoint. However, the Jscript payload is filterable.

Here is the list of JS vulnerabilities from Project Zero + our filters

| Google ID | CVE | SigKB |

| 1376 | CVE-2017-11903 | 30079 |
| 1340 | CVE-2017-11810 | 29707 |
| 1381 | CVE-2017-11793 | 29705 |
| 1369 | CVE-2017-11890 | 30068 |
| 1383 | CVE-2017-11907 | 30081 |
| 1378 | CVE-2017-11855 | 29918 |
| 1382 | CVE-2017-11906 | - |
---------------------------------------`

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubiquiti Networks __ Affected

Notified: July 18, 2018 Updated: September 06, 2018

Statement Date: September 05, 2018

Status

Affected

Vendor Statement

The recently launched UniFi Security Gateway firmware (4.4.28) that fix the vulnerability “VU#598349”:

<https://community.ubnt.com/t5/UniFi-Updates-Blog/USG-Firmware-v4-4-28-now-available/ba-p/2482349>.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

<https://community.ubnt.com/t5/UniFi-Updates-Blog/USG-Firmware-v4-4-28-now-available/ba-p/2482349>

View all 226 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base	0	AV:–/AC:–/Au:–/C:–/I:–/A:–
Temporal	0	E:ND/RL:ND/RC:ND
Environmental	0	CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Acknowledgements

This attack was found, tested and reported by Ossi Salmi, Mika Seppänen, Marko Laakso and Kasper Kyllönen of Arctic Security. We asked help of Jussi Eronen and Iikka Sovanto of NCSC-FI in reaching out the vendor representatives.

This document was written by Laurie Tyzenhaus and Garret Wasserman.