Threat Update: WPAD Name Collision Vulnerability
May 24, 2016
Web Proxy Auto-Discovery (WPAD) Domain Name System (DNS) queries that are intended for resolution on private or enterprise DNS servers have been observed reaching public DNS servers . In combination with the New generic Top Level Domain (gTLD) program’s incorporation of previously undelegated gTLDs for public registration, leaked WPAD queries could result in domain name collisions with internal network naming schemes  . Opportunistic domain registrants could take advantage of these collisions and configure an external proxy for network traffic, allowing the potential for man-in-the-middle (MitM) attacks across the Internet.
This vulnerability impacts Windows, OS X, Linux systems, and web browsers with WPAD enabled. WPAD is a protocol used to ensure all systems in an organization utilize the same web proxy configuration. Instead of individually modifying configurations on each device connected to a network, WPAD locates a proxy configuration file and applies the configuration automatically.
The use of WPAD is enabled by default on all Microsoft Windows operating systems and Internet Explorer browsers. WPAD is supported but not enabled by default on Mac and Linux-based operating systems, as well as, Safari, Chrome, and Firefox browsers.
The WPAD vulnerability is significant to corporate assets such as laptops. In some cases these assets are vulnerable even while at work but observations indicate that most assets become vulnerable when used outside an internal network (e.g. home networks, public Wi-Fi networks).
Users and network administrators should implement the following recommendations to provide a more secure and efficient network infrastructure:
- Consider disabling automatic proxy discovery/configuration in browsers and operating systems during device setup if it will not be used for internal networks.
- Consider using a fully qualified domain name (FQDN) from global DNS as the root for enterprise and other internal namespace.
- Configure internal DNS servers to respond authoritatively to internal TLD queries.
- Configure firewalls and proxies to log and block outbound requests for wpad.dat files.
- Identify expected WPAD network traffic and monitor the public namespace or consider registering domains defensively to avoid future name collisions.
- File a report with ICANN if your system is suffering demonstrably severe harm as a consequence of name collision by visiting https://forms.icann.org/en/help/name-collision/report-problems.
-  Verisign – MitM Attack by Name Collision: Cause Analysis and Vulnerability Assessment in the New gTLD Era
-  ICANN – Name Collision Resources & Information
-  ICANN – New gTLDs
-  US-CERT – Controlling Outbound DNS Access
Herjavec Group circulates US – Cert advisories as this notification warrants attention and may have significance to your Enterprise network environment. If the following advisory is applicable to your environment, Herjavec Group recommends your IT team review the technical details included and monitor your environment for any susceptible systems. Herjavec Group’s analysts are working with applicable vendor partners to apply detection and mitigation strategies where appropriate. For Managed Services customers, our Managed Services team will engage with the appropriate technical contacts in your respective organizations directly to provide alerts, escalations, actions and or reports based our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group.