Cisco Security Advisory: Limitations in Cisco Secure Desktop

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Cisco Security Advisory: Limitations in Cisco Secure Desktop
============================================================

Advisory ID: cisco-sa-20061009-csd

http://www.cisco.com/warp/public/707/cisco-sa-20
061009-csd.shtml

Revision 1.0

For Public Release 2006 October 09 1600 UTC (GMT)

+-----------------------------------------------------------
-------------------

Summary
=======

Cisco has been made aware of limitations in the Cisco Secure
Desktop (CSD)
product which may cause information accessed or produced
during an SSL VPN
session to be left outside of the Secure Desktop
environment.

There are no identified fixes, but there are some
workarounds that can help
mitigate some of these limitations.

This advisory is posted at 
http://www.cisco.com/warp/public/707/cisco-sa-2
0061009-csd.shtml.

Affected Products
=================

The limitations described in this advisory exist in all
versions of the Cisco
Secure Desktop product.

Details
=======

The Cisco Secure Desktop (CSD) seeks to minimize data from
being left behind
after an SSL VPN session terminates. In particular, CSD
works to reduce, via
encryption, the risk that cookies, browser history,
temporary files, and
downloaded content remain on a system after a remote user
logs out or an SSL
VPN session times out.

Cisco has been made aware of the following limitations in
CSD that may cause
data accessed or produced during an SSL VPN session to be
left outside of the
Secure Desktop environment:

Information Leakage via Windows Paging File
+------------------------------------------

This limitation is the inability to prevent data from
leaking to the Windows
virtual memory file, which is commonly referred to as the
paging file and is
called pagefile.sys. This file is normally located in the
root directory of the
hard drive where Windows is installed, but it can also be a
group of files
stored in various locations, across hard disks and
partitions.

The paging file is used to store the contents of physical
memory that have been
swapped out by the Windows kernel when there is pressure to
provide additional
physical memory for some application, and no physical memory
is available. In
this case, the Windows kernel swaps out memory used by idle
processes to the
paging file and gives the de-allocated memory to the
application that is asking
for more memory.

As a consequence of how the Windows virtual memory subsystem
operates, the
physical memory contents used by any application, including
those running in a
Secure Desktop, may end up in the paging file. The Windows
paging file stores
"paged out" physical memory contents without
encryption, and therefore
information "paged out" by the operating system
may be recovered using data
forensic tools. Because of this process, CSD may not be able
to remove from the
system all data produced and accessed during the SSL VPN
session after the VPN
session terminates.

This item is not a CSD product defect. It is, rather, a CSD
product limitation
resulting from how the Microsoft Windows operating system
interacts with
applications.

Some possible workarounds may be an option when users have
administrative
rights to their systems, as discussed in the Workarounds
section.

Document Recovery via Windows Printer Spool Files
+------------------------------------------------

This limitation consists of an inability of CSD to prevent
the recovery of
files used during an SSL VPN session. If the files have been
printed, then they
can be recovered via the printer spool files, which are
usually stored in the
directory C:WINDOWSsystem32spoolPRINTERS and have .SPL
extensions. These
files are short-lived because they are deleted after they
have been
successfully sent to the printer. However, if there are
printing problems, or
if data forensic methods are applied to the hard drive, they
can be recovered.

For additional security, CSD provides an
administrator-configurable option that
works to prevent printing from within a CSD session. This
option is disabled by
default.

Inability to Detect Hardware Keystroke Loggers
+---------------------------------------------

This limitation consists of an inability to detect hardware
keyloggers which
may be installed on the system on which CSD is running. This
limitation stems
from the inability of an operating system to detect the
presence of devices
that do not identify themselves, or that deliberately
misrepresent their device
class.

Impact
======

The impact of the CSD limitations described in this advisory
is that
information may be left behind on a computer after an SSL
VPN session
terminates and after CSD has attempted to clean up all
traces of the data
accessed or produced during the SSL VPN session.

Software Version and Fixes
==========================

There are no fixes for the limitations described in this
advisory.

Workarounds
===========

Information Leakage via Windows Paging File
+------------------------------------------

The "Information Leakage via Windows Paging File"
limitation can be mitigated
by configuring Windows to clear the paging file at shutdown.
Instructions on
how to configure this are available at:

http://
support.microsoft.com/kb/314834/EN-US/ (Windows XP)

http://
support.microsoft.com/kb/182086/EN-US/ (Windows 2000)

Please note that this is an option only when administrative
access to the
Windows system is available.

Document Recovery via Windows Printer Spool Files
+------------------------------------------------

For the "Document Recovery via Windows Printer Spool
Files" limitation,
configuring CSD to prevent users from printing from within
the Secure Desktop
will help mitigate the limitation. For information on how to
do this please
refer to the Cisco Secure Desktop Configuration Guide,
available at:

ht
tp://www.cisco.com/en/US/products/ps6742/products_configurat
ion_guide_chapter09186a00805f9f42.html#wp1041681

Inability to Detect Hardware Keystroke Loggers
+---------------------------------------------

There are no workarounds for the inability to detect
hardware keyloggers.

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is not aware of any public announcements or
malicious use of
the limitations described in this advisory.

The issues described in this advisory were discovered by a
Cisco partner,
ManTech International Corporation, as part of a product
security evaluation
commissioned by Cisco.

The "Information Leakage via Paging file"
limitation was also independently
reported to Cisco by Rick Patterson, Information Security
Group at Sidley
Austin LLP.

Cisco would like to thank them for reporting these issues to
us.

Status of this Notice: FINAL
============================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND
DOES NOT IMPLY ANY KIND OF
GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS
FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE
DOCUMENT OR MATERIALS
LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
THE RIGHT TO
CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this
document that omits the
distribution URL in the following section is an uncontrolled
copy, and may lack
important information or contain factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at:

http://www.cisco.com/warp/public/707/cisco-sa-20
061009-csd.shtml

In addition to worldwide web posting, a text version of this
notice is
clear-signed with the Cisco PSIRT PGP key and is posted to
the following e-mail
and Usenet news recipients.

  * cust-security-announcecisco.com
  * first-teamsfirst.org
  * bugtraqsecurityfocus.com
  * vulnwatchvulnwatch.org
  * ciscospot.colorado.edu
  * cisco-nsppuck.nether.net
  * full-disclosurelists.grok.org.uk
  * comp.dcom.sys.cisconewsgate.cisco.com

Future updates of this advisory, if any, will be placed on
Cisco's worldwide
website, but may or may not be actively announced on mailing
lists or
newsgroups. Users concerned about this problem are
encouraged to check the
above URL for any updates.

Revision History
================

+---------------------------------------------+
| Revision | 2006-October-09 | Initial public |
| 1.0      |                 | release.       |
+---------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities
in Cisco products,
obtaining assistance with security incidents, and
registering to receive
security information from Cisco, is available on Cisco's
worldwide website at
http://www.cisco.com/en/US/produ
cts/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security
notices. All Cisco security advisories are available at 
http://www.cisco.com/g
o/psirt.

+-----------------------------------------------------------
-------------------
All contents are Copyright 1992-2006 Cisco Systems, Inc. All
rights reserved.
+-----------------------------------------------------------
-------------------

Updated: Oct 09, 2006                                       
Document ID: 71723

+-----------------------------------------------------------
-------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFFKnGm8NUAbBmDaxQRAjbqAJ4sHJEZblRrJu6WwVHhWvJGItASHgCg
m2c8
vMdOVYnKPfmU2bqkXdwT84A=
=zPli
-----END PGP SIGNATURE-----