Project

General

Profile

Actions

Feature #14786

closed

Add GUI option for host_verify_strict

Added by Jonathan Lee over 1 year ago. Updated about 1 year ago.

Status:
Duplicate
Priority:
Low
Assignee:
-
Category:
Squid
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

Ref for research of UPP get requests:
https://forum.netgate.com/topic/182866/universal-procedure-pointers-upp-mzstatic-com-s-mode-of-access-redirector-question

a tunnel within a tunnel. Or The coined term could be "Universal Procedure Pointer GET requests." are starting to occur more frequently on proxies. Can code please be added to detect when the IP stays the same and a UPP get request connection occurs?

Example of use: SSL intercept based proxy in use with certificates installed on all devices the firewall has the itunes and apple music domains configured to be whitelisted such that they bypass the SSL proxy for use with proxy transparent mode. (advanced manually configured)

What occurs: After a request goes to a whitelisted domain such as apple music the same ip directly after is being used as a tunneled redirect right to the image server "mzstatic". Keep in mind mzstatic has not been approved yet for use with the SSL bypass, however it occurs unknowingly and uses that open tunnel.

The concern is the mode of use. This ability to redirect and or piggyback off any whitelisted domain in a firewall, such that the get request starts to use the same ip address for new URLs is essentially a non approved tunnel within a established ssl tunnel.

How can this be set up to block if it was abused by something else outside of Apple? How can this new mode of redirect be proxied when not approved? Simply put yes a firewall can be configured to block the other address. Again, that is after the damage is done and then it's to late. It takes a firewall admin to spot it only after it has already been used several times and only after it's spotted to establish block rules when needed. For an invasive actor it only takes one usage of such a tool to achieve an objective.

Has anyone else seen this outside of apple?

This request is for a new feature inside of the Squid Package. New UPP Get requests are being used to bypass firewall rules.


Files

Screenshot 2023-09-15 at 12.34.24 PM.png (615 KB) Screenshot 2023-09-15 at 12.34.24 PM.png Proxy Killer UPP in use Jonathan Lee, 09/15/2023 07:46 PM

Related issues

Is duplicate of Bug #14390: Squid: SECURITY ALERT: Host header forgery detectedNew

Actions
Actions #1

Updated by Jonathan Lee over 1 year ago

Keep in mind my concern is not of Apple's use of UPP rather for, when UPP Get requests are used invasively. How can a proxy spot UPP Get requests and stop it before the damage occurs to file systems and or data. The concern is what cyber defence steps can be taken to have information assurance for such a tool when abused?

We know it occurs in steps

1. An approved SSL splice connection is established
2. UPP takes over and points a GET request inside of the pre established connection
3. UPP now communicates and uses the same IP for other URL requests and passes data when required

Actions #2

Updated by Jonathan Lee over 1 year ago

Ref:
http://www.squid-cache.org/Doc/config/host_verify_strict/

This option could be built into the GUI to bring more visibility to host verification options.

This could be the solution to the packag GUI interaction.

Actions #3

Updated by Jonathan Lee over 1 year ago

host_verify_strict on
host_verify_strict off

Actions #4

Updated by Marcos M over 1 year ago

  • Subject changed from New Feature Request (Universal Procedure Pointers) UPP detections inside of Squid needed to Add GUI option for host_verify_strict
  • Priority changed from Normal-package to Low

This seems related:
https://redmine.pfsense.org/issues/14390

Keep in mind that a report on the forum mentions that host_verify_strict did not resolve the issue there.

Actions #5

Updated by Jonathan Lee over 1 year ago

I wish it did resolve this. Thanks for the information. I will keep researching.

Actions #6

Updated by Mike Moore over 1 year ago

Marcos, the problem is that the squid package is not respecting the host strict setting. The package is broken in that regards. Updated notes in the case you mentioned

Actions #7

Updated by Marcos M about 1 year ago

  • Status changed from New to Duplicate
Actions #8

Updated by Marcos M about 1 year ago

  • Is duplicate of Bug #14390: Squid: SECURITY ALERT: Host header forgery detected added
Actions

Also available in: Atom PDF