CVE-2016-3213
published 2016-06-16CVE-2016-3213: The Web Proxy Auto Discovery (WPAD) protocol implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1…
PriorityP272high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
70.29%
99.3th percentile
The Web Proxy Auto Discovery (WPAD) protocol implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold and 1511, and Internet Explorer 9 through 11 has an improper fallback mechanism, which allows remote attackers to gain privileges via NetBIOS name responses, aka "WPAD Elevation of Privilege Vulnerability."
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| msrc | internet_explorer_11 | — | — |
| msrc | internet_explorer_9 | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for NetBIOS name responses (NBT-NS) spoofing the hostname 'WPAD' on the network — high-volume UDP responses to WPAD lookups are a strong indicator of exploitation (BadTunnel/CVE-2016-3213). ↗
- →Detect exploitation attempts via UNC link delivery (HTML or Office attachments) used to trigger the initial NetBIOS request to the attacker-controlled system. ↗
- →Alert on sustained high-rate UDP NetBIOS traffic (port 137) from an external or unexpected source toward internal hosts, especially targeting WPAD name resolution — consistent with the brute-force NAT-tunneling attack pattern. ↗
- →Check hosts file for the workaround entry '255.255.255.255 wpad'; its absence on patched systems or its presence with a different IP may indicate tampering or active exploitation. ↗
- →Verify both MS16-063 and MS16-077 patches are applied; systems missing either update remain exploitable even if one patch is installed. ↗
- ·The Metasploit auxiliary module 'server/netbios_spoof_nat' implements the BadTunnel brute-force NAT-tunnel spoof for WPAD and is publicly available, lowering the bar for exploitation. ↗
- ·The attack works through NAT gateways because the stream of NetBIOS responses keeps the NAT mapping alive, making perimeter-only defenses insufficient. ↗
- ·Microsoft patches (MS16-063/MS16-077) change how the WPAD proxy host is identified but do NOT eliminate the predictability of NetBIOS requests entirely. ↗
- ·Applying the hosts-file workaround (255.255.255.255 wpad) will break autoproxy discovery, causing applications such as Internet Explorer to fail loading websites. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc8.8LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
WPAD Elevation of Privilege Vulnerability
vendor_msrc·2016-06-14·CVSS 8.8
CVE-2016-3213 [HIGH] WPAD Elevation of Privilege Vulnerability
WPAD Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Microsoft Windows when the Web Proxy Auto Discovery (WPAD) protocol falls back to a vulnerable proxy discovery process. An attacker who successfully exploited this vulnerability could bypass security and gain elevated privileges on a targeted system.
To exploit the vulnerability, an attacker could respond to NetBIOS name requests for WPAD.
The update addresses the vulnerability by correcting how Windows handles proxy discovery.
FAQ: Are there any further steps I need to carry out to be protected from CVE-2016-3213 described in this bulletin?
Yes. It is important to note that the security update described in this bulletin for CVE-2016-3213 does not fully protect your system. You must i
GHSA
GHSA-cj7m-368h-qqqf: The Web Proxy Auto Discovery (WPAD) protocol implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows
ghsa_unreviewed·2022-05-14
CVE-2016-3213 [HIGH] GHSA-cj7m-368h-qqqf: The Web Proxy Auto Discovery (WPAD) protocol implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows
The Web Proxy Auto Discovery (WPAD) protocol implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold and 1511, and Internet Explorer 9 through 11 has an improper fallback mechanism, which allows remote attackers to gain privileges via NetBIOS name responses, aka "WPAD Elevation of Privilege Vulnerability."
No detection rules found.
Talos
Microsoft Patch Tuesday - June 2016
blogs_talos·2016-06-14
Microsoft Patch Tuesday - June 2016
## Microsoft Patch Tuesday - June 2016
This post was authored by Warren Mercer .
Patch Tuesday for June 2016 has arrived where Microsoft releases their monthly set of security bulletins designed to address security vulnerabilities within their products. This month's release contains 17 bulletins addressing 44 vulnerabilities. Five bulletins resolve critical vulnerabilities found in MS DNS Server, Edge, Internet Explorer, JScript/VBScript, and Office. The remaining bulletins are rated important and address vulnerabilities in Active Directory, Exchange Server, Group Policy, SMB Server, Netlogon, Windows Graphics component, Windows Kernel-mode Drivers, Windows PDF, Window Search Component, and WPAD.
## Bulletins Rated Critical Microsoft bulletins MS16-063, MS16-068 through MS16-071, and MS
Talos
Microsoft Patch Tuesday - June 2016
blogs_talos·2016-06-14
Microsoft Patch Tuesday - June 2016
This post was authored by Warren Mercer.
Patch Tuesday for June 2016 has arrived where Microsoft releases their monthly set of security bulletins designed to address security vulnerabilities within their products. This month's release contains 17 bulletins addressing 44 vulnerabilities. Five bulletins resolve critical vulnerabilities found in MS DNS Server, Edge, Internet Explorer, JScript/VBScript, and Office. The remaining bulletins are rated important and address vulnerabilities in Active Directory, Exchange Server, Group Policy, SMB Server, Netlogon, Windows Graphics component, Windows Kernel-mode Drivers, Windows PDF, Window Search Component, and WPAD.
## Bulletins Rated CriticalMicrosoft bulletins MS16-063, MS16-068 through MS16-071, and MS16-083 are rated as critical in this relea
Huntress
What Is DLL Hijacking? How to Detect & Prevent It | Huntress
blogs_huntress
What Is DLL Hijacking? How to Detect & Prevent It | Huntress
## What is DLL hijacking?
DLL hijacking is when a Windows application loads a malicious DLL (Dynamic Link Library) instead of a legitimate one, because the attacker has placed their DLL where the system expects to find the original. This trick works because many applications don’t specify the full, trusted path to their needed DLLs. Instead, they rely on Windows’ default search order, which isn’t always secure. The result? The attacker’s code runs with the same privileges as the application, opening doors for bad actors.
## Purpose behind DLL hijacking
Gain unauthorized access or control
Escalate user privileges
Maintain stealthy persistence
Deploy malware while evading detection
## How DLL hijacking works step by step
Want to know how attackers pull off DLL hijacking? Here’s how i
http://www.securitytracker.com/id/1036096http://www.securitytracker.com/id/1036104https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-063https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-077http://www.securitytracker.com/id/1036096http://www.securitytracker.com/id/1036104https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-063https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-077
2016-06-16
Published