Cisco Secure Desktop

The CSD ('Cisco Secure Desktop') mechanism is a security scanner for the Cisco AnyConnect VPNs, in the same vein as Juniper's Host Checker (tncc.jar) and GlobalProtect's HIP.

Background

The 'Cisco Secure Desktop' is a bit of a misnomer — it works by downloading a trojan binary from the server and running it on your client machine to perform some kind of 'verification' and post its approval back to the server. This seems anything but secure to me, especially given their history of trivially-exploitable bugs.

It's also fairly easy to subvert, by running your own modified binary instead of the one you download from the server. Or by running their binary but poking at it with gdb.

We support this idiocy, but because of the security concerns the trojan will be executed only if a userid is specified on the command line using the --csd-user= option, or the --csd-wrapper= option is used to handle the script in a 'safe' manner.

This support currently only works when the server has a Linux binary installed, and only when that Linux binary runs on the client machine.

CSD support in OpenConnect

OpenConnect supports running the CSD binary, or spoofing its behaviour, by passing the --csd-wrapper=SCRIPT argument with a shell script.

The OpenConnect distribution includes two alternative scripts to support the execution or spoofing of the CSD behaviour, in the trojans/ subdirectory: