Front Page: NCSC-FI
Go to Search

Vulnerabilities in service autodiscovery


Some applications and protocols have autodiscovery functions relying on hardcoded DNS names. This can result to security issues when hostnames are automatically registered to DNS. Attackers can register autodiscovery domain names to perform man in the middle attacks.

Many network devices automatically register the names of the hosts to their DNS service after DHCP registration. Some systems query domain names via multicast DNS. In both cases, a malicious host within a network can mount man in the middle attacks by naming their device with a domain name used for service autodiscovery. Services that are currently known to be vulnerable are:

  • Proxy Auto-Configuration (WPAD): A full man in the middle for HTTP, HTTPS, and FTP protocols
  • Intra-Site Automatic Tunnel Addressing Protocol (ISATAP): Man in the middle for IPv6 traffic within an IPv4 network

An attacker in the man in the middle position can eavesdrop, modify or drop traffic, and try to circumvent encryption or other protections. Protocols and implementations employing end to end encryption are not affected.

Vulnerability coordination:

The vulnerability was found by Ossi Salmi, Mika Seppänen, Marko Laakso and Kasper Kyllönen of Arctic Security. NCSC-FI would like to thank the finder, CERT/CC and vendors for participating in the coordination.


  • Network devices

Attack vector

  • Remote


  • Denial-of-service attack
  • Security bypass
  • Editing of information
  • Obtaining of confidential information


  • Software update patch
  • Restriction of the problem
  • No update

Vulnerable software

A listing of affected products can be found in the CERT/CC advisory.

Possible solutions

Upgrade the vulnerable systems in accordance with instructions from the vendor.

The vulnerability can be mitigated by blacklisting service autodiscovery domain names such as wpad, isatap, autodiscovery, and autoconf from DNS autoregistration.

Contact Information

NCSC-FI Vulnerability Coordination can be contacted as follows:


Please quote the advisory reference [FICORA #1038576] in the subject line.

+358 295 390 230
Monday - Friday 08:00 – 16:15 (EET: UTC+3)

Vulnerability Coordination
P.O. Box 313
FI-00561 Helsinki

NCSC-FI encourages those who wish to communicate via email to make use of our PGP key. The PGP key as well as the vulnerability coordination principles of NCSC-FI are available at:

Additional information

Originally published 06.09.2018 time 12:08