Products & Services

Document ID: 71723

Advisory ID: cisco-sa-20061009-csd

http://www.cisco.com/warp/public/707/cisco-sa-20061009-csd.shtml

Revision 1.0

For Public Release 2006 October 09 1600 UTC (GMT)

Contents

Summary
Affected Products
Details
Impact
Software Version and Fixes
Workarounds
Obtaining Fixed Software
Exploitation and Public Announcements
Status of this Notice: FINAL
Distribution
Revision History
Cisco Security Procedures

Summary

Cisco has been made aware of limitations in the Cisco Secure Desktop (CSD) product which may cause information accessed or produced during an SSL VPN session to be left outside of the Secure Desktop environment.

There are no identified fixes, but there are some workarounds that can help mitigate some of these limitations.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20061009-csd.shtml.

Affected Products

This section provides details on affected products.

Vulnerable Products

The limitations described in this advisory exist in all versions of the Cisco Secure Desktop product.

Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by these vulnerabilities.

Details

The Cisco Secure Desktop (CSD) seeks to minimize data from being left behind after an SSL VPN session terminates. In particular, CSD works to reduce, via encryption, the risk that cookies, browser history, temporary files, and downloaded content remain on a system after a remote user logs out or an SSL VPN session times out.

Cisco has been made aware of the following limitations in CSD that may cause data accessed or produced during an SSL VPN session to be left outside of the Secure Desktop environment:

Information Leakage via Windows Paging File

This limitation is the inability to prevent data from leaking to the Windows virtual memory file, which is commonly referred to as the paging file and is called pagefile.sys. This file is normally located in the root directory of the hard drive where Windows is installed, but it can also be a group of files stored in various locations, across hard disks and partitions.

The paging file is used to store the contents of physical memory that have been swapped out by the Windows kernel when there is pressure to provide additional physical memory for some application, and no physical memory is available. In this case, the Windows kernel swaps out memory used by idle processes to the paging file and gives the de-allocated memory to the application that is asking for more memory.

As a consequence of how the Windows virtual memory subsystem operates, the physical memory contents used by any application, including those running in a Secure Desktop, may end up in the paging file. The Windows paging file stores "paged out" physical memory contents without encryption, and therefore information "paged out" by the operating system may be recovered using data forensic tools. Because of this process, CSD may not be able to remove from the system all data produced and accessed during the SSL VPN session after the VPN session terminates.

This item is not a CSD product defect. It is, rather, a CSD product limitation resulting from how the Microsoft Windows operating system interacts with applications.

Some possible workarounds may be an option when users have administrative rights to their systems, as discussed in the Workarounds section.

Document Recovery via Windows Printer Spool Files

This limitation consists of an inability of CSD to prevent the recovery of files used during an SSL VPN session. If the files have been printed, then they can be recovered via the printer spool files, which are usually stored in the directory C:\WINDOWS\system32\spool\PRINTERS\ and have .SPL extensions. These files are short-lived because they are deleted after they have been successfully sent to the printer. However, if there are printing problems, or if data forensic methods are applied to the hard drive, they can be recovered.

For additional security, CSD provides an administrator-configurable option that works to prevent printing from within a CSD session. This option is disabled by default.

Inability to Detect Hardware Keystroke Loggers

This limitation consists of an inability to detect hardware keyloggers which may be installed on the system on which CSD is running. This limitation stems from the inability of an operating system to detect the presence of devices that do not identify themselves, or that deliberately misrepresent their device class.

Impact

The impact of the CSD limitations described in this advisory is that information may be left behind on a computer after an SSL VPN session terminates and after CSD has attempted to clean up all traces of the data accessed or produced during the SSL VPN session.

Software Version and Fixes

There are no fixes for the limitations described in this advisory.

Workarounds

Information Leakage via Windows Paging File

The "Information Leakage via Windows Paging File" limitation can be mitigated by configuring Windows to clear the paging file at shutdown. Instructions on how to configure this are available at:

http://support.microsoft.com/kb/314834/EN-US/ (Windows XP)

http://support.microsoft.com/kb/182086/EN-US/ (Windows 2000)

Please note that this is an option only when administrative access to the Windows system is available.

Document Recovery via Windows Printer Spool Files

For the "Document Recovery via Windows Printer Spool Files" limitation, configuring CSD to prevent users from printing from within the Secure Desktop will help mitigate the limitation. For information on how to do this please refer to the Cisco Secure Desktop Configuration Guide, available at:

http://www.cisco.com/en/US/products/ps6742/products_configuration_guide_chapter09186a00805f9f42.html#wp1041681

Inability to Detect Hardware Keystroke Loggers

There are no workarounds for the inability to detect hardware keyloggers.

Obtaining Fixed Software

Cisco has made free software available to address this vulnerability for affected customers. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades.

Customers with Service Contracts

Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com.

Customers using Third-party Support Organizations

Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed.

Customers without Service Contracts

Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows.

• +1 800 553 2447 (toll free from within North America)
  
• +1 408 526 7209 (toll call from anywhere in the world)
  
• e-mail: tac@cisco.com
  

Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC.

Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages.

Exploitation and Public Announcements

The Cisco PSIRT is not aware of any public announcements or malicious use of the limitations described in this advisory.

The issues described in this advisory were discovered by a Cisco partner, ManTech International Corporation, as part of a product security evaluation commissioned by Cisco.

The "Information Leakage via Paging file" limitation was also independently reported to Cisco by Rick Patterson, Information Security Group at Sidley Austin LLP.

Cisco would like to thank them for reporting these issues to us.

Status of this Notice: FINAL

Distribution

This advisory is posted on Cisco's worldwide website at:

http://www.cisco.com/warp/public/707/cisco-sa-20061009-csd.shtml

In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients.

• cust-security-announce@cisco.com
  
• first-teams@first.org
  
• bugtraq@securityfocus.com
  
• vulnwatch@vulnwatch.org
  
• cisco@spot.colorado.edu
  
• cisco-nsp@puck.nether.net
  
• full-disclosure@lists.grok.org.uk
  
• comp.dcom.sys.cisco@newsgate.cisco.com
  

Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.

Revision History

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.