Mitigate A New CERT Vulnerability (#598349) With An Entry In /etc/hosts


#21

I guess this is the reason why I always disable any Proxy related settings in all my browsers and also check if any unneeded Services are running via services.msc :smiley:

Thnx @ Pi-Hole team for this notification tho! :+1:t2::+1:t2::+1:t2::+1:t2::+1:t2:


#22

Bit late to the party here, but is this still valid?
Is it advised to modify /etc/hosts or use regex?
domainname returns (none) for me.


#23

Both is possible and it doesn’t really matter regarding security.

But I still prefer the blacklist method. Using this one can see which device is quering wpad in the statistics of Pi-hole. Having this information you can reach out to the vulnerable device and deactivate the β€œauto proxy” setting directly.


#24

Hi team,

If you are tempted to create a β€œfix” for this wpad thingy…
Please make sure it is configuarable as I use wpad.
If pihole starts blocking this as security feature, there will be issues with users like me.

Many use the wpad dns entry to let clients know where to find wpad.dat or proxy.pac.
DNS wpad entry is picked up by clients, as clients send wpad question to dchp when getting ip stuff.
wpad entry in DNS is based on IP or hostname. And the wpad must be served from a webserver on port 80.

A solution could be adding a wpad thingly in the gui. For users without wpad, just enter 0.0.0.0
For me: I would use 192.168.1.4 or fqdn name.

DNSmasq can also be used to NOT serve a DHCP IP to a hostname:
Perhaps this works? Have not tested it:
dhcp-host=id:wpad,ignore

Thanks in advance,


#25

I don’t believe there is any intent to do so. The post was for awareness of the issue.


#26

Pointless for now, you might want to bookmark this for later…

dnsmasq2.80 will have protection for the wpad vulnerability

from the changelog:

Include in the example config file a formulation which
stops DHCP clients from claiming the DNS name "wpad".
This is a fix for the CERT Vulnerability VU#598349.

from the sample config file:

# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
#dhcp-option=252,"\n"

and

# If a DHCP client claims that its name is "wpad", ignore that.
# This fixes a security hole. see CERT Vulnerability VU#598349
#dhcp-name-match=set:wpad-ignore,wpad
#dhcp-ignore-names=tag:wpad-ignore

Unfortunately, this will require pihole-FTL to adopt the changes from dnsmasq2.80, witch hasn’t been released yet (test releases available).


#27

That works with Dnsmasq version 2.80test3, thanks for the hint!
Just added that string to /etc/dnsmasq.conf (that was OpenWRT, not Pi-hole).