From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 10 Oct 2006 09:56:06 +0200
Subject: [NT] Limitations in Cisco Secure Desktop
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20061010091312.74C9A576F@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Limitations in Cisco Secure Desktop
------------------------------------------------------------------------
SUMMARY
Cisco has been made aware of limitations in the Cisco Secure Desktop (CSD)
product which may cause information accessed or produced during an SSL VPN
session to be left outside of the Secure Desktop environment.
There are no identified fixes, but there are some workarounds that can
help mitigate some of these limitations.
DETAILS
Affected Products:
The limitations described in this advisory exist in all versions of the
Cisco Secure Desktop product.
Details:
The Cisco Secure Desktop (CSD) seeks to minimize data from being left
behind after an SSL VPN session terminates. In particular, CSD works to
reduce, via encryption, the risk that cookies, browser history, temporary
files, and downloaded content remain on a system after a remote user logs
out or an SSL VPN session times out.
Cisco has been made aware of the following limitations in CSD that may
cause data accessed or produced during an SSL VPN session to be left
outside of the Secure Desktop environment:
Information Leakage via Windows Paging File:
This limitation is the inability to prevent data from leaking to the
Windows virtual memory file, which is commonly referred to as the paging
file and is called pagefile.sys. This file is normally located in the root
directory of the hard drive where Windows is installed, but it can also be
a group of files stored in various locations, across hard disks and
partitions.
The paging file is used to store the contents of physical memory that have
been swapped out by the Windows kernel when there is pressure to provide
additional physical memory for some application, and no physical memory is
available. In this case, the Windows kernel swaps out memory used by idle
processes to the paging file and gives the de-allocated memory to the
application that is asking for more memory.
As a consequence of how the Windows virtual memory subsystem operates, the
physical memory contents used by any application, including those running
in a Secure Desktop, may end up in the paging file. The Windows paging
file stores "paged out" physical memory contents without encryption, and
therefore information "paged out" by the operating system may be recovered
using data forensic tools. Because of this process, CSD may not be able to
remove from the system all data produced and accessed during the SSL VPN
session after the VPN session terminates.
This item is not a CSD product defect. It is, rather, a CSD product
limitation resulting from how the Microsoft Windows operating system
interacts with applications.
Some possible workarounds may be an option when users have administrative
rights to their systems, as discussed in the Workarounds section.
Document Recovery via Windows Printer Spool Files:
This limitation consists of an inability of CSD to prevent the recovery of
files used during an SSL VPN session. If the files have been printed, then
they can be recovered via the printer spool files, which are usually
stored in the directory C:\WINDOWS\system32\spool\PRINTERS\ and have .SPL
extensions. These files are short-lived because they are deleted after
they have been successfully sent to the printer. However, if there are
printing problems, or if data forensic methods are applied to the hard
drive, they can be recovered.
For additional security, CSD provides an administrator-configurable option
that works to prevent printing from within a CSD session. This option is
disabled by default.
Inability to Detect Hardware Keystroke Loggers:
This limitation consists of an inability to detect hardware keyloggers
which may be installed on the system on which CSD is running. This
limitation stems from the inability of an operating system to detect the
presence of devices that do not identify themselves, or that deliberately
misrepresent their device class.
Impact:
The impact of the CSD limitations described in this advisory is that
information may be left behind on a computer after an SSL VPN session
terminates and after CSD has attempted to clean up all traces of the data
accessed or produced during the SSL VPN session.
Workarounds:
Information Leakage via Windows Paging File
The "Information Leakage via Windows Paging File" limitation can be
mitigated by configuring Windows to clear the paging file at shutdown.
Instructions on how to configure this are available at:
<http://support.microsoft.com/kb/314834/EN-US/>;
http://support.microsoft.com/kb/314834/EN-US/ (Windows XP)
<http://support.microsoft.com/kb/182086/EN-US/>;
http://support.microsoft.com/kb/182086/EN-US/ (Windows 2000)
Please note that this is an option only when administrative access to the
Windows system is available.
Document Recovery via Windows Printer Spool Files
For the "Document Recovery via Windows Printer Spool Files" limitation,
configuring CSD to prevent users from printing from within the Secure
Desktop will help mitigate the limitation. For information on how to do
this please refer to the Cisco Secure Desktop Configuration Guide,
available at:
<http://www.cisco.com/en/US/products/ps6742/products_configuration_guide_chapter09186a00805f9f42.html#wp1041681> http://www.cisco.com/en/US/products/ps6742/products_configuration_guide_chapter09186a00805f9f42.html#wp1041681
Inability to Detect Hardware Keystroke Loggers
There are no workarounds for the inability to detect hardware keyloggers.
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com.> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20061009-csd.shtml>;
http://www.cisco.com/warp/public/707/cisco-sa-20061009-csd.shtml
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
