Description
If an attacker with access to the network adds a malicious device to the network with the name 'wpad', the attacker may be able to utilize DNS auto-registration and proxy auto-discovery to act as a proxy for victims on the network, resulting in the loss of confidentiality and integrity for any network activity.
CERT/CC Vulnerability Note
Affected Products
| Product Family | Severity | Notes |
|---|
NetVanta 600 Series NetVanta 1000 Series NetVanta 3000 Series NetVanta 4000 Series NetVanta 5000 Series NetVanta 6000 Series Total Access 900/900e Series | High | Only affected if the device is functioning as a DHCP server and the DNS proxy is enabled. |
414RG ONT 424RG ONT 434RG ONT | High | |
| SDX 810-RG | High | |
Mitigating Factors & Recommended Actions
| Product Family | Mitigating Factors | Recommended Actions |
|---|
| All | None | No actions to mitigate are available. |
Resolution
| Product Family | Resolution |
|---|
NetVanta 600 Series NetVanta 1000 Series NetVanta 3000 Series NetVanta 4000 Series NetVanta 5000 Series NetVanta 6000 Series Total Access 900/900e Series | Upgrade to AOS R13.2.2 or later to prevent 'wpad' and 'isatap' from being registered to the DNS proxy. R13.3.0 and R13.3.1 were released prior to R13.2.2 and do not contain the change in behavior. |
414RG ONT 424RG ONT 434RG ONT | Upgrade to ONT Release 9.11.0.1 or later, which prevent 'wpad' and 'isatap' from being registered to the DNS proxy. |
| SDX 810-RG | Upgrade to Release 4.1.3 or later, which prevent 'wpad' and 'isatap' from being registered to the DNS proxy. |
Revision History
- Revision C (2018-11-06): ONT Release 9.11.0.1 and SDX 810-RG Release 4.1.3 have been released and are now available for download.
- Revision B (2018-10-19): Removed the "under investigation" note because all investigations are complete. Also updated the planned release dates for the ONT 9.11.0.1 and SDX 810-RG 4.1.3 releases.
- Revision A (2018-09-05): Initial Release
