Glad we didn’t buy into this product at my day job. But, then again it’s always a dice game when playing with the new and shiny.
Details
The Cisco Secure Desktop (CSD) seeks to minimize data from being left behind after an SSL VPN session terminates. In particular, CSD works to reduce, via encryption, the risk that cookies, browser history, temporary files, and downloaded content remain on a system after a remote user logs out or an SSL VPN session times out.
CSD is affected by the following vulnerabilities:
Information Leakage via Spawned BrowserThis vulnerability occurs when the Internet browser that is automatically spawned to display a home page after an SSL VPN session is established uses a directory outside of the vault maintained by CSD to store its session information, i.e. browser cache (also known as “temporary Internet files”), history, cookies, etc. This also allows users to save files downloaded during this Internet browsing session to outside of the CSD vault, which would result in unencrypted files remaining in the system after the SSL VPN connection terminates.
Please note that this vulnerability only occurs when the Cisco SSL VPN Client is configured to spawn a home page after a successful connection. Spawning a home page after a successful connection is not enabled by default.
This vulnerability is documented by Cisco Bug ID CSCsg05935 ( registered customers only) — SVC’s spawned browser saves to nonsecure desktop.
System Policy EvasionThis vulnerability allows users to switch between the Secure Desktop and the Local (nonsecure) Desktop when using certain applications that attempt to switch to the default desktop. This can occur even when the system administrator has configured CSD to prevent switching between the Secure Desktop and the Local Desktop.
This vulnerability is documented by Cisco Bug ID CSCsg11636 ( registered customers only) — Applications that switch to the default desktop cause CSD to minimize.
Local Privilege EscalationThe default permissions of the directory where CSD is installed, and its parent directory, allow any user to modify the contents of a CSD installation, including renaming, deleting and overwriting files. Unprivileged users can make use of this to elevate their privilege and obtain LocalSystem-equivalent privileges by replacing certain CSD executables that are run as system services and with LocalSystem privileges.
CSD is installed by default into the directory %SystemDrive%\Program Files\Cisco Systems\Secure Desktop\.
Note: %SystemDrive% is a Microsoft Windows environment variable that holds the drive that Windows was installed to. Normally, Windows is installed in the first hard disk and therefore %SystemDrive% is usually C:.
Please note that there are other Cisco products that install their files in a directory under %SystemDrive%\Program Files\Cisco Systems\. When these products are installed they normally inherit the permissions from the parent directory (%SystemDrive%\Program Files\Cisco Systems\). Therefore, as a side effect of this vulnerability in CSD, other products may be affected if they are installed after a vulnerable version of CSD is installed.
Tags: Cisco Secure Desktop, Cisco, Vulnerability, SSL VPN, Cisco SSL VPN
