CVE-2016-3236
published 2016-06-16CVE-2016-3236: The Web Proxy Auto Discovery (WPAD) protocol implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1…
PriorityP275critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
77.66%
99.5th percentile
The Web Proxy Auto Discovery (WPAD) protocol implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 mishandles proxy discovery, which allows remote attackers to redirect network traffic via unspecified vectors, aka "Windows WPAD Proxy Discovery Elevation of Privilege Vulnerability."
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for NetBIOS name response flooding (brute-force spoof) targeting the 'WPAD' hostname, particularly high-rate UDP NetBIOS traffic (~30,000 PPS) which is characteristic of the BadTunnel exploitation technique. ↗
- →Detect exploitation attempts by monitoring for unsolicited or repeated NetBIOS responses to a target host for the WPAD hostname, especially when originating from an external/NAT-traversing source — a hallmark of the BadTunnel NAT-piercing attack. ↗
- →Investigate UNC link delivery vectors (HTML pages, Office attachments) pointing to attacker-controlled IPs as the initial trigger mechanism to elicit a NetBIOS WPAD request from the victim. ↗
- →Alert on anomalous WPAD proxy auto-detection traffic or unexpected changes to NetBIOS name cache entries for 'WPAD', which may indicate successful cache poisoning via BadTunnel. ↗
- ·The Microsoft patches MS16-063/MS16-077 change how the WPAD proxy host is identified and affect the predictability of NetBIOS requests, but do not fully eliminate the underlying NetBIOS spoofing primitive. ↗
- ·The workaround of adding '255.255.255.255 wpad' to the hosts file will break autoproxy discovery and may prevent applications such as Internet Explorer from loading websites properly. ↗
- ·The attack is effective even when the target is behind a NAT gateway, as the continuous stream of NetBIOS responses keeps the NAT mapping alive after initial setup. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_msrc9.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xxfh-4hh8-prf8: The Web Proxy Auto Discovery (WPAD) protocol implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows
ghsa_unreviewed·2022-05-14
CVE-2016-3236 [CRITICAL] GHSA-xxfh-4hh8-prf8: The Web Proxy Auto Discovery (WPAD) protocol implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows
The Web Proxy Auto Discovery (WPAD) protocol implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 mishandles proxy discovery, which allows remote attackers to redirect network traffic via unspecified vectors, aka "Windows WPAD Proxy Discovery Elevation of Privilege Vulnerability."
Microsoft
Windows WPAD Proxy Discovery Elevation of Privilege Vulnerability
vendor_msrc·2016-06-14·CVSS 9.8
CVE-2016-3236 [CRITICAL] Windows WPAD Proxy Discovery Elevation of Privilege Vulnerability
Windows WPAD Proxy Discovery Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when Microsoft Windows improperly handles certain proxy discovery scenarios using the Web Proxy Auto Discovery (WPAD) protocol method.
An attacker who successfully exploited the vulnerability could potentially access and control network traffic for which the attacker does not have sufficient privileges.
The update addresses the vulnerability by correcting WPAD automatic proxy detection in Windows.
FAQ: Are there any behavior changes that I should be aware of after installing this update?
Yes. This update changes the behavior of Auto Proxy Detection and NetBIOS, which may affect various scenarios, such as SMB, WPAD-based proxy detection, and so on. For more informa
No detection rules found.
Talos
Microsoft Patch Tuesday - June 2016
blogs_talos·2016-06-14
Microsoft Patch Tuesday - June 2016
## Microsoft Patch Tuesday - June 2016
This post was authored by Warren Mercer .
Patch Tuesday for June 2016 has arrived where Microsoft releases their monthly set of security bulletins designed to address security vulnerabilities within their products. This month's release contains 17 bulletins addressing 44 vulnerabilities. Five bulletins resolve critical vulnerabilities found in MS DNS Server, Edge, Internet Explorer, JScript/VBScript, and Office. The remaining bulletins are rated important and address vulnerabilities in Active Directory, Exchange Server, Group Policy, SMB Server, Netlogon, Windows Graphics component, Windows Kernel-mode Drivers, Windows PDF, Window Search Component, and WPAD.
## Bulletins Rated Critical Microsoft bulletins MS16-063, MS16-068 through MS16-071, and MS
Talos
Microsoft Patch Tuesday - June 2016
blogs_talos·2016-06-14
Microsoft Patch Tuesday - June 2016
This post was authored by Warren Mercer.
Patch Tuesday for June 2016 has arrived where Microsoft releases their monthly set of security bulletins designed to address security vulnerabilities within their products. This month's release contains 17 bulletins addressing 44 vulnerabilities. Five bulletins resolve critical vulnerabilities found in MS DNS Server, Edge, Internet Explorer, JScript/VBScript, and Office. The remaining bulletins are rated important and address vulnerabilities in Active Directory, Exchange Server, Group Policy, SMB Server, Netlogon, Windows Graphics component, Windows Kernel-mode Drivers, Windows PDF, Window Search Component, and WPAD.
## Bulletins Rated CriticalMicrosoft bulletins MS16-063, MS16-068 through MS16-071, and MS16-083 are rated as critical in this relea
2016-06-16
Published