The CSD ('Cisco Secure Desktop') mechanism is a security scannerfor the Cisco AnyConnect VPNs, in thesame vein as Juniper's Host Checker (tncc.jar)and GlobalProtect's HIP.
Background
The 'Cisco Secure Desktop' is a bit of a misnomer — it works bydownloading a trojan binary from the server and running it on yourclient machine to perform some kind of 'verification' and post itsapproval back to the server. This seems anything but secureto me, especially given their history of trivially-exploitablebugs.
It's also fairly easy to subvert, by running your own modified binaryinstead of the one you download from the server. Or by running theirbinary but poking at it with gdb.
We support this idiocy, but because of the security concerns thetrojan will be executed only if a userid is specified on the commandline using the --csd-user= option, or the --csd-wrapper=option is used to handle the script in a 'safe' manner.
Cisco Vpn Client
This support currently only works when the server has a Linux binaryinstalled, and only when that Linux binary runs on the client machine.
OpenConnect is a SSL VPN client initially created to support Cisco’s AnyConnect SSL VPN. It has since been ported to support the Juniper SSL VPN which is now known as Pulse Connect Secure. Palo Altos Global Protect will also be supported in future and of course the own OpenConnect Server. Cisco AnyConnect provides always-on VPN protection for workers connected to the company network. It is also utilized to gain a deeper understanding of user and endpoint behaviors. This information allows companies to defend networks from external threats. In addition, Cisco AnyConnect actively restricts network access only to permitted devices. An openconnect VPN server (ocserv), which implements an improved version of the Cisco AnyConnect protocol, has also been written. OpenConnect is released under the GNU Lesser Public License, version 2.1.
Hi, does Cisco ASA support VPN connection from Openconnect client? I have very simple configuration and it everything seems OK 'Device completed SSL handshake with client outside:X.X.X.X/9553 to X.X.X.X/443 for TLSv1.2 session', but next message is 'SSL session with client outside:X.X.X.X/9553 to. We are running Linux RHEL 7.4 with openconnect to connect to our ASA over SSL VPN. Since hostscan 4.3.05038 and onwards with fix CSCub32322: 'cstub should validate server certificates for a ssl connection' we no longer are able to run cstub. If we run with Ciscos Anyconnect everything works fine, bu.
CSD support in OpenConnect
Openconnect Cisco Vpn
OpenConnect supports running the CSD binary, or spoofing itsbehaviour, by passing the --csd-wrapper=SCRIPT argumentwith a shell script.
The OpenConnect distribution includes two alternativescripts to support the execution or spoofing of the CSD behaviour, inthe trojans/ subdirectory:
Openconnect Download
- csd-wrapper.sh: This script accepts the same options as some versions of the CSD trojan binary, (-ticket, -stub, -group, -certhash, -url, -langselen), downloads the files required by the binary, and then wraps the execution of the cstub binary. Because of the security dangers of executing a server-provided trojan binary, this script should ideally be executed with the permissions of a low-privilege user (e.g. --csd-user=nobody --csd-wrapper=trojans/csd-wrapper.sh).
- csd-post.sh: This script does not actually run the CSD trojan binary. Instead, it emulates the behaviour of the CSD trojan, creating a plaintext report similar to the one that the CSD trojans build, and uploading it to the server sent by the VPN gateway. The report may need to be customized in order to be accepted by some servers; the hostscan-bypass tool may help with this. Because this script does not actually execute a trojan binary, and because its complete output is easily visible in the script, the security concerns are greatly alleviated.