ADTSA-201804: Problems with automatic DNS registration and autodiscovery

Version 22

    Description

    If an attacker with access to the network adds a malicious device to the network with the name 'wpad', the attacker may be able to utilize DNS auto-registration and proxy auto-discovery to act as a proxy for victims on the network, resulting in the loss of confidentiality and integrity for any network activity.

     

    CERT/CC Vulnerability Note

     

    Affected Products

    Product FamilySeverityNotes

    NetVanta 600 Series

    NetVanta 1000 Series

    NetVanta 3000 Series

    NetVanta 4000 Series

    NetVanta 5000 Series

    NetVanta 6000 Series

    Total Access 900/900e Series

    HighOnly affected if the device is functioning as a DHCP server and the DNS proxy is enabled.

    414RG ONT

    424RG ONT

    434RG ONT

    High
    SDX 810-RGHigh

     

    Mitigating Factors & Recommended Actions

    Product FamilyMitigating FactorsRecommended Actions
    AllNoneNo actions to mitigate are available.

     

    Resolution

    Product FamilyResolution

    NetVanta 600 Series

    NetVanta 1000 Series

    NetVanta 3000 Series

    NetVanta 4000 Series

    NetVanta 5000 Series

    NetVanta 6000 Series

    Total Access 900/900e Series

    Upgrade to AOS R13.2.2 or later to prevent 'wpad' and 'isatap' from being registered to the DNS proxy.  R13.3.0 and R13.3.1 were released prior to R13.2.2 and do not contain the change in behavior.

    414RG ONT

    424RG ONT

    434RG ONT

    Upgrade to ONT Release 9.11.0.1 or later, which prevent 'wpad' and 'isatap' from being registered to the DNS proxy.
    SDX 810-RGUpgrade to Release 4.1.3 or later, which prevent 'wpad' and 'isatap' from being registered to the DNS proxy.

     

    Revision History

    • Revision C (2018-11-06):  ONT Release 9.11.0.1 and SDX 810-RG Release 4.1.3 have been released and are now available for download.
    • Revision B (2018-10-19):  Removed the "under investigation" note because all investigations are complete.  Also updated the planned release dates for the ONT 9.11.0.1 and SDX 810-RG 4.1.3 releases.
    • Revision A (2018-09-05):  Initial Release