Vulnerabilities in service autodiscovery

Some applications and protocols have autodiscovery functions relying on hardcoded DNS names. This can result to security issues when hostnames are automatically registered to DNS. Attackers can register autodiscovery domain names to perform man in the middle attacks.

Many network devices automatically register the names of the hosts to their DNS service after DHCP registration. Some systems query domain names via multicast DNS. In both cases, a malicious host within a network can mount man in the middle attacks by naming their device with a domain name used for service autodiscovery. Services that are currently known to be vulnerable are:

  • Proxy Auto-Configuration (WPAD): A full man in the middle for HTTP, HTTPS, and FTP protocols
  • Intra-Site Automatic Tunnel Addressing Protocol (ISATAP): Man in the middle for IPv6 traffic within an IPv4 network
An attacker in the man in the middle position can eavesdrop, modify or drop traffic, and try to circumvent encryption or other protections. Protocols and implementations employing end to end encryption are not affected.

Vulnerability coordination:

The vulnerability was found by Ossi Salmi, Mika Seppänen, Marko Laakso and Kasper Kyllönen of Arctic Security. NCSC-FI would like to thank the finder, CERT/CC and vendors for participating in the coordination.

  • Servers and server applications
  • Workstations and end-user applications
  • Network devices
  • Mobile communications systems
  • Embedded systems
  • Others


  • Network devices
Further information +

Attack vector

  • Remote
Further information on the access vector +


  • Editing of information
  • Obtaining of confidential information
  • Denial-of-service attack
  • Security bypass
Further information on the impact +


  • Software update patch
  • Restriction of the problem
  • No update
Further information on the remediation +

Vulnerable software:

A listing of affected products can be found in the CERT/CC advisory.

Possible solutions and restrictive measures:

Upgrade the vulnerable systems in accordance with instructions from the vendor.

The vulnerability can be mitigated by blacklisting service autodiscovery domain names such as wpad, isatap, autodiscovery, and autoconf from DNS autoregistration.

Contact Information

NCSC-FI Vulnerability Coordination can be contacted as follows:


Please quote the advisory reference [FICORA #1038576] in the subject line.

+358 295 390 230
Monday - Friday 08:00 – 16:15 (EET: UTC+3)

Vulnerability Coordination
P.O. Box 313
FI-00561 Helsinki

NCSC-FI encourages those who wish to communicate via email to make use of our PGP key. The PGP key as well as the vulnerability coordination principles of NCSC-FI are available at:

Further information:

Update history

Key words: Information security , Vulnerability coordination

LinkedIn Print


The Finnish Communications Regulatory Authority (FICORA)

The National Cyber Security Centre Finland (NCSC-FI)

Itämerenkatu 3 A

P.O. Box 313


Media contacts by telephone +358 295 390 248