[Anyconnect] Circumventing Host Scan seems to be quite easy

jer0nim0x · ‎03-20-2020

Hey,

It seems you can just use some other SSL VPN client and/or post any result you like to the ASA.

Also, endpoint attributes you might be using in your DAP are stored for everyone to see at this URL: https://$VPNGW/CACHE/sdesktop/data.xml

Just read this: https://gilks.github.io/post/cisco-hostscan-bypass/

This doesn't actually inspire confidence.

What do you think?

Cristian Matei · ‎03-21-2020

Hi,

I agree with you, and at the same time, by working with other vendors that implemented Host Scan many years ago, Juniper for example, there were may drawbacks, and ways to bypass it. Host Scan, as a standalone function, is obsolete for long time ago now, it was designed for clienteles SSL VPN sessions and it provided some level of security like 10 years ago. We have to understand that this feature, as standalone, is deprecated today. There has always been a balance difficult to achieve between having security at a certain level, without having an agent deployed on the end device.

And we most not forget that in the end, your security policy is as strong as your weakest point in the chain. The moment the user has full privilege on its PC, your overall security is drastically reduced, as even though he may not do something by intention, something else (a disguised attack) may use its privilege on the device to perform certain actions.

Regards,

Cristian Matei.

jeronimo · ‎03-21-2020

I see. From what I found out, Host Scan is the only thing that remains for now from a solution called Secure Desktop which is no longer available.
But when you talk about an agent, can't Anyconnect in itself be considered the agent? It should at least be able to transmit its scanning results to the appliance in a secure way.
Probably you'd have to put more dollars on the table for such "features" (I'd actually consider them basic requirements): I see Anyconnect has many modules, like Posture and the like, and you'd probably need to use those, which probably require a lot more equipment and software on the gateway's end.

Cristian Matei · ‎03-21-2020

Hi,

Yes, if you would use AnyConnect (which is an agent), things will be different, all at a is being sent through the VPN tunnel, as posture is done after successful VPN connection, as opposed to standalone Host Scan which is performed before the VPN tunnel is build, thus not being secure. And, as said, any clientless implementation suffers from the inherent flaws of being clientless, for this reason it's no longe used.

More bucks on the table, means an increased level of Security. Look towards AnyConnect and its entire attached ecosystem, it can do a lot.

Regards,

Cristian Matei.

jer0nim0x · ‎03-21-2020

I forgot to mention that this is in fact solely about Anyconnect. That's because I forgot that Cisco uses the terms "SSL VPN" or "WebVPN" for both Anyconnect as well as clientless. Oh well.... :)

In any case Host Scan seems to be totally unsecure no matter if you use Anyconnect or clientless (the java apps/activex), since they both seem to implement the same unsecure mechanism that can be easily spoofed.

(Note: We have given up Clientless SSL VPN a long time ago since other manufacturers like Pulse Secure provide way more interesting solutions. )

Cristian Matei · ‎03-27-2020

Hi,

When using AnyConnect, you have the option to use the ISE Posture Module instead of the Host Scan functionality; and that information is sent secure, after the session gets established, but you need ISE for that.

Regards,

Cristian Matei.