Mitigate A New CERT Vulnerability (#598349) With An Entry In /etc/hosts

Mitigate A New CERT Vulnerability (#598349) With An Entry In /etc/hosts

2018-09-10 Random 27

There is a new CERT vulnerability that can leave you vulnerable to a Man-in-the-Middle attack. You can mitigate this vulnerability today by adding these two lines to your /etc/hosts file:

0.0.0.0 wpad wpad.example.com 
:: wpad wpad.example.com

example.com is a stand in for your local domain. So replace example.com with whatever your local domain is.

The essence of this vulnerability is that an attacker can add a device to the network named wpad and get a DHCP lease, thus inserting the name wpad.example.com in the local DNS pointing to the attacker’s machine. The presence of that A record allows control of the proxy settings of any browser in the network.

You can learn more about the technology behind this attack at Google’s Project Zero page–it’s an older article, but gives some insight into the inner workings of the attack.

The next release of dnsmasq includes an option (dhcp-ignore-names) that can be used to mitigate the attack at the source, but we haven’t heard how Simon will act on this new vulnerability.

Since FTLDNS is just our fork of dnsmasq, we can easily merge in any upstream changes from him, but we wanted to let you know of the /etc/hosts fix that you can immediately implement.

Notable Replies

  1. Avatar for jfb jfb says:

    What would be the correct settings for a domain with no name?

    domainname
    (none)

  2. My pihdole is not inside my lan.

    must I set this on my local pc on the pihole server?

  3. I don't have pihole serve my DHCP.... my router does it but I am unsure what my domain is...

    1. How can one tell what the local domain is?
    2. Should I add those lines to my router's /etc/hosts?
  4. Avatar for jfb jfb says:

    Run this command on the terminal on your Pi: domainname

    Put on the /etc/hosts file for the device which is providing DNS resolution - in this case your Pi-Hole.

  5. Thank you for the reply @jfb. I don't have domainname it seems. The distro is Arch ARM. I am not sure any package supplies that program :confused:

Continue the discussion discourse.pi-hole.net

22 more replies

Participants