Mitigate A New CERT Vulnerability (#598349) With An Entry In /etc/hosts

Mitigate A New CERT Vulnerability (#598349) With An Entry In /etc/hosts

2018-09-10 Random 27

There is a new CERT vulnerability that can leave you vulnerable to a Man-in-the-Middle attack.  You can mitigate this vulnerability today by adding these two lines to your /etc/hosts file: wpad 
:: wpad is a stand in for your local domain.  So replace with whatever your local domain is.

The essence of this vulnerability is that an attacker can add a device to the network named wpad and get a DHCP lease, thus inserting the name in the local DNS pointing to the attacker’s machine.  The presence of that A record allows control of the proxy settings of any browser in the network.

You can learn more about the technology behind this attack at Google’s Project Zero page–it’s an older article, but gives some insight into the inner workings of the attack.

The next release of dnsmasq includes an option (dhcp-ignore-names) that can be used to mitigate the attack at the source, but we haven’t heard how Simon will act on this new vulnerability.

Since FTLDNS is just our fork of dnsmasq, we can easily merge in any upstream changes from him, but we wanted to let you know of the /etc/hosts fix that you can immediately implement.

Notable Replies

  1. Avatar for jfb jfb says:

    What would be the correct settings for a domain with no name?


  2. @jacob.salmela
    A long time ago, I responded to a topic, regarding excessive wpad queries and provided a solution to have lighttpd respond.
    Does this imply that the solution is no longer a good solution?

    I'm aware the solution doesn't have an entry for IPv6, but this can be easily fixed, NOT sure if lighttpd will also provide the response...

    The solution was further discussed in this topic, section Q/A (Q: Why so many local requests?)

    checked to see if IPv6 requests are responded to by lighttpd -> YES

    IPv4 request (, entry in the lighttpd log

    1536659104||GET /wpad.dat HTTP/1.1|200|56

    IPv6 request (http://[2a02:1810:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]/wpad.dat), entry in the lighttpd log

    1536659116|[2a02:1810:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]|GET /wpad.dat HTTP/1.1|200|56


  3. Avatar for Tho Tho says:

    What about using the Pi-Hole blacklist instead editing the hosts file?

    Seems to work fine for me, by just adding


    as a Regex to the blacklist.

  4. Hi team,

    If you are tempted to create a "fix" for this wpad thingy...
    Please make sure it is configuarable as I use wpad.
    If pihole starts blocking this as security feature, there will be issues with users like me.

    Many use the wpad dns entry to let clients know where to find wpad.dat or proxy.pac.
    DNS wpad entry is picked up by clients, as clients send wpad question to dchp when getting ip stuff.
    wpad entry in DNS is based on IP or hostname. And the wpad must be served from a webserver on port 80.

    A solution could be adding a wpad thingly in the gui. For users without wpad, just enter
    For me: I would use or fqdn name.

    DNSmasq can also be used to NOT serve a DHCP IP to a hostname:
    Perhaps this works? Have not tested it:

    Thanks in advance,

  5. Pointless for now, you might want to bookmark this for later...

    dnsmasq2.80 will have protection for the wpad vulnerability

    from the changelog:

    Include in the example config file a formulation which
    stops DHCP clients from claiming the DNS name "wpad".
    This is a fix for the CERT Vulnerability VU#598349.

    from the sample config file:

    # Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.


    # If a DHCP client claims that its name is "wpad", ignore that.
    # This fixes a security hole. see CERT Vulnerability VU#598349

    Unfortunately, this will require pihole-FTL to adopt the changes from dnsmasq2.80, witch hasn't been released yet (test releases available).

Continue the discussion

22 more replies