US-CERT: Domain name collision bug could result in MitM attacks
The DHS U.S. Computer Emergency Readiness Team has issued an alert warning of a WPAD bug that could make certain DNS queries prone to Man-in-the-Middle attacks.
The U.S. Computer Emergency Readiness Team (US-CERT) issued an alert this week, warning of a “domain name collision” bug, causing certain DNS queries to be resolved on public instead of private or enterprise servers, exposing organizations to Man-in-the-Middle (MitM) attacks.
The Department of Homeland Security (DHS) agency warned that DNS queries using the Web Proxy Auto-Discovery protocol (WPAD) in combination with newer, publicly registered generic top-level domains, could result in queries being erroneously resolved on a public server. This is especially the case when an organization's employee connects a work computer to a home or external network that does not support said organization's WPAD configurations. According to US-CERT, “Attackers may exploit such leaked WPAD queries by registering the leaked domain and setting up MitM proxy configuration files on the Internet.”
WPAD is enabled by default in Windows and on Internet Explorer, and is supported by the other major operating systems and browsers. The US-CERT alert includes recommendations to defend against this vulnerability.