Feature #14786
closed
Add GUI option for host_verify_strict
0%
Description
Ref for research of UPP get requests:
https://forum.netgate.com/topic/182866/universal-procedure-pointers-upp-mzstatic-com-s-mode-of-access-redirector-question
a tunnel within a tunnel. Or The coined term could be "Universal Procedure Pointer GET requests." are starting to occur more frequently on proxies. Can code please be added to detect when the IP stays the same and a UPP get request connection occurs?
Example of use: SSL intercept based proxy in use with certificates installed on all devices the firewall has the itunes and apple music domains configured to be whitelisted such that they bypass the SSL proxy for use with proxy transparent mode. (advanced manually configured)
What occurs: After a request goes to a whitelisted domain such as apple music the same ip directly after is being used as a tunneled redirect right to the image server "mzstatic". Keep in mind mzstatic has not been approved yet for use with the SSL bypass, however it occurs unknowingly and uses that open tunnel.
The concern is the mode of use. This ability to redirect and or piggyback off any whitelisted domain in a firewall, such that the get request starts to use the same ip address for new URLs is essentially a non approved tunnel within a established ssl tunnel.
How can this be set up to block if it was abused by something else outside of Apple? How can this new mode of redirect be proxied when not approved? Simply put yes a firewall can be configured to block the other address. Again, that is after the damage is done and then it's to late. It takes a firewall admin to spot it only after it has already been used several times and only after it's spotted to establish block rules when needed. For an invasive actor it only takes one usage of such a tool to achieve an objective.
Has anyone else seen this outside of apple?
This request is for a new feature inside of the Squid Package. New UPP Get requests are being used to bypass firewall rules.
Files
| Screenshot 2023-09-15 at 12.34.24 PM.png (615 KB) Screenshot 2023-09-15 at 12.34.24 PM.png | Proxy Killer UPP in use |
Related issues
Updated by Jonathan Lee 8 months ago
Keep in mind my concern is not of Apple's use of UPP rather for, when UPP Get requests are used invasively. How can a proxy spot UPP Get requests and stop it before the damage occurs to file systems and or data. The concern is what cyber defence steps can be taken to have information assurance for such a tool when abused?
We know it occurs in steps
1. An approved SSL splice connection is established
2. UPP takes over and points a GET request inside of the pre established connection
3. UPP now communicates and uses the same IP for other URL requests and passes data when required
Updated by Jonathan Lee 8 months ago
Ref:
http://www.squid-cache.org/Doc/config/host_verify_strict/
This option could be built into the GUI to bring more visibility to host verification options.
This could be the solution to the packag GUI interaction.
Updated by Jonathan Lee 8 months ago
host_verify_strict on
host_verify_strict off
Updated by Marcos M 8 months ago
- Subject changed from New Feature Request (Universal Procedure Pointers) UPP detections inside of Squid needed to Add GUI option for host_verify_strict
- Priority changed from Normal-package to Low
This seems related:
https://redmine.pfsense.org/issues/14390
Keep in mind that a report on the forum mentions that host_verify_strict did not resolve the issue there.
Updated by Jonathan Lee 8 months ago
I wish it did resolve this. Thanks for the information. I will keep researching.
Updated by Mike Moore 8 months ago
Marcos, the problem is that the squid package is not respecting the host strict setting. The package is broken in that regards. Updated notes in the case you mentioned
Updated by Marcos M 6 months ago
- Is duplicate of Bug #14390: Squid: SECURITY ALERT: Host header forgery detected added