Is the Turris Omnia vulnerable to this?

Is the Omnia vulnerable to this new CERT vulnerability? This Pi-Hole blog post explains the essence of the problem and how to mitigate the vulnerability. Thank you.

IMHO: judging from a quick wiki scan, the WPAD protocol has never got standardized (!) which explains why I can’t see the name in the special registry, so I’m convinced that the (silly) error is on the side of any applications trusting such an ad-hoc name, especially as DNS+http path to the end machine is typically not secured in any way.

Perhaps routers might better block adding a machine with wpad hostname, but there are “legitimately” registered domains like and, and just blocking those would seem rather excessive to me, so I can’t see any reasonable fix other than fixing the clients that blindly trust contents on such names (e.g. Windows). Yes, e.g. currently shows a site informing about the WPAD vulnerability, but it’s a regular domain owned by someone, so they technically can decide to exploit it any time (selectively).

EDIT: Google blogpost seems to explain the situation the best, and it also shows how to disable WPAD on Windows to feel safer (no particular exploitability is known at this moment apparently).

Good thing I don’t have a single Windows machine then… Thank you very much for your explanation.