WPAD name collision bug opens door for MitM attackers

A vulnerability in Web Proxy Auto-Discovery (WPAD), a protocol used to ensure all systems in an organization utilize the same web proxy configuration, can be exploited to mount MitM attacks from anywhere on the Internet, US-CERT warns.

“With the New gTLD program, previously undelegated gTLD strings are now being delegated for public domain name registration. These strings may be used by private or enterprise networks, and in certain circumstances, such as when a work computer is connected from a home or external network, WPAD DNS queries may be made in error to public DNS servers,” the organization explained.

“Attackers may exploit such leaked WPAD queries by registering the leaked domain and setting up MitM proxy configuration files on the Internet.”

According to a group of University of Michigan and Verisign Labs researchers, 10 percent of domains routinely exposing a large number of potential victims have already been registered.

The query leakage problem is a result of settings on end user devices – WPAD is enabled by default on all Microsoft Windows operating systems and Internet Explorer browsers, and supported but not enabled by default on OS X and Linux-based operating systems, and Safari, Chrome, and Firefox browsers.

“The WPAD vulnerability is significant to corporate assets such as laptops. In some cases these assets are vulnerable even while at work but observations indicate that most assets become vulnerable when used outside an internal network (e.g. home networks, public Wi-Fi networks),” US-CERT pointed out, and offered a set of steps to take to mitigate the danger, including registering domains defensively to avoid future name collisions.

More advice for enterprise remediation can be had from this whitepaper.