CSA_5_2_0_272_readme.txt ReadMe file for CSA v5.2.0.272 Cisco Systems, Inc. Cisco Security Agent v5.2.0.272 for Cisco Security Agent October 20, 2008 Copyright (C) 2007, 2008 Cisco Systems, Inc. All rights reserved. Printed in the USA. Cisco, Cisco Systems, and the Cisco Systems logo are registered trademarks of Cisco Systems, Inc. in the U.S. and certain other countries. All other trademarks mentioned in this document are the properties of their registered owners. ================================================================================ Table of Contents ================================================================================ 1. 5.2.0 Update Details 1.1 Installation Notes 1.2 Resolved Issues in 5.2.0.210 (First official hotfix release - Jun 14, 2007) 1.3 Resolved Issues in 5.2.0.225 (Second official hotfix release - Aug 01, 2007) 1.4 Resolved Issues in 5.2.0.238 (Third official hotfix release - Nov 07, 2007) 1.5 Resolved Issues in 5.2.0.245 (Fourth official hotfix release - Dec 21, 2007) 1.6 Resolved Issues in 5.2.0.262 (Fifth official hotfix release - Jun 04, 2008) 1.7 Resolved Issues in 5.2.0.263 (Sixth official hotfix release - Jun 06, 2008) 1.8 Resolved Issues in 5.2.0.272 (Seventh official hotfix release - Oct 20, 2008) 1.9 Known Issue of Importance in 5.2.0.272 1.10 Additional Instructions for New Enhancements 1.10.1 Additional LDAP configurations available for CSAMC login authentication 1.9.2 Addition local variable resolution to support OEM standalone agents 2. Cisco Security Agent Management Center (CSA MC) Update Instructions Upgrading 3. Port Usage Information =============================================================================== 1. 5.2.0 Update Details =============================================================================== 1.1 Installation Notes: 5.2.0.203: - First customer release - April 02, 2007 *#*#*#*#* *#*#*#*#* *#*#*#*#* *#*#*#*#* *#*#*#*#* *#*#*#*#* *#*#*#*#* Please note that every hotfix package is a full media release. Initial installation of the current hotfix on a clean CSAMC system does NOT require an instance of the 5.2.0.203 FCS version to be upgraded. Only an install of the latest package is required to establish a fully functional CSAMC. If an existing version of CSAMC is present on the system, the hotfix package will update that version. Please consult the CSA Installation Guide for further detail on upgrades. *#*#*#*#* *#*#*#*#* *#*#*#*#* *#*#*#*#* *#*#*#*#* *#*#*#*#* *#*#*#*#* =============================================================================== 1.2 Resolved Issues in 5.2.0.210 (First official hotfix release - June 14, 2007) ------------------------------------------ 5.2.0.210: - First OFFICIAL Hotfix release ------------------------------------------ addressed the following issues: Defect Description ------ ----------- CSCsh81611 laptop crash after changing headset CSCsi20437 server reboot when NIC failover occur CSCsi31462 False Pos: Global Event Correlation triggers on non Virus AV event CSCsi45909 The libuser.dll has lost its version number CSCsi47438 machine BSOD with CSA and window 2003 sp 2 CSCsi47486 memory leak found by internal Cisco group CSCsi47494 Application Investigation unknown application mapping fails CSCsi49030 CSAMC 5.2 - product assoc reporting broken CSCsi49644 incompatable between CSA and netmotion CSCsi55684 Windows Buffer Overflow wizard is partially broken CSCsi56817 System API Control rule save fails when target app is selected CSCsi57040 Migration fails if alert points to event set with broken references CSCsi57199 SAS Raid drives maked as removable SCSI devices. CSCsi58539 Okclient fail to launch on a remote session CSCsi66098 Getting this error load_rules: failed to compile agent rule file CSCsi67295 Host managing task fails when rule generation takes more than 5 minutes CSCsi76123 realpath() in Linux libc not work with CSA buffer overflow library CSCsi86031 call manager 7845 crashes due to stack overflow in net shim CSCsi88709 remote db install will fail first time for post SP1 SQL 2005 databases CSCsi90002 warning for pre-hotfix 2153 db should not happen for remote db CSCsi90010 drop database failure during uninstallation of CSAMC not logged CSCsi98106 after csa install upon reboot flag not appearing on NT4 CSCsj00328 Event Wizard cannot handle 'Wifi' 1.3 Resolved Issues in 5.2.0.225 (Second official hotfix release - August 1, 2007) ------------------------------------------- 5.2.0.225: - Second OFFICIAL Hotfix release ------------------------------------------- Hotfix 5.2.0.225 addressed the following issues: Defect Description ------ ----------- CSCsg88244 rule request has been submitted to the Rule Engine the maximum number CSCsh30816 turning off MC agent security denied after correct challenge response CSCsi50901 CSA 5.2 Docs should indicate prepare_xx_migration tool must run from cli CSCsi68438 The installsheild engine (ikernel.exe) could not be launched CSCsi91257 Improperly Identified Untrusted Rootkits CSCsj00098 Internal server error when launch MC with 'remember last page' CSCsj13373 Getting Error - when using wizard to generate rules. CSCsj16490 setup.iss file show csa version 4.5 CSCsj18283 Internal SQL Server error from the MC log CSCsj25919 Application Deployment Product Association Reports - broken link CSCsj40730 CSA preventing 'ifmember' cmd from quickly accessing AD CSCsj41858 Error: LDAP Configuration cannot have embedded spaces CSCsj42101 CSA causing the W2k3 server to BSOD CSCsj49666 CSA Wizard process is not working CSCsj51109 Host details listed errorneous information. CSCsj51541 CSA agent Cannot upgrade to CSA 5.2 running Win2003 R2 SP2 CSCsj62670 Some online help links broken CSCsj62954 CSAMC: Find Similar Events link logs user out of MC CSCsj63031 Errors in report viewer CSCsj64269 Memory could not be read error when launch application via softgrid CSCsj65845 Error viewing html report CSCsj66753 Unable to log in with Appclass page as last visited CSCsj67029 WMI/SMS tools fail to function CSCsj67038 Firefox as MC causes log out when changing event filter CSCsj68382 CSAMC LDAP configuration does not support LDAPS API CSCsj68776 rule explanation hang when there are too many literal in group CSCsj70876 Invalid session error opening diagnostic upload link CSCsj71117 CSAMC: User logged out using search-Varbiables-Replace CSCsj76375 CSA v5.2 install issue with Solaris 9 on Fujitsu PM 450 server 1.4 Resolved Issues in 5.2.0.238 (Third official hotfix release - November 7, 2007) ------------------------------------------- 5.2.0.238: - Second OFFICIAL Hotfix release ------------------------------------------- Hotfix 5.2.0.238 addressed the following issues: Defect Description ------ ----------- CSCeh39315 csa_vpn.dll should cover when security level is turned off w/AYT CSCsj06399 CSA install command line switch to set SystemPages registry value CSCsj09770 CSA caused Citrix servers to BSOD CSCsj29041 CSA 5.2.0.203 crashes when installed on rhel4 server CSCsj72360 CSA: Can not install CSAMC when install pathname contains spaces CSCsj82283 'Terminate' popup query has formatting error in button CSCsj90011 CSAMC 5.2 reports do not support Named Instance for remote DB CSCsj97376 LDAP configuration get wipe out after upgrade CSCsk01272 CCM experiencing degraded softirq and cpu utilization. CSCsk07395 CSA Agent UI Control Rules Do Not Observe System States CSCsk10317 Wireless\adhoc does not work after agent restart CSCsk17812 BSOD when access to Microsoft RMS (Rights Management Server) is lost CSCsk17915 CSA needs a registry switch to turn trace snapshot feature off CSCsk38861 when CSA tries to stop a stopped process, causes Kernel Panic CSCsk41394 Dead link referring SET function locator for rootkit detect state event CSCsk46598 Admins are allowed to disabled CSA from the hardware profile setting. CSCsk47486 CSA drops IPSEC/ESP packets CSCsk51133 Rule generation performance degrades after migration CSCsk55961 CSA: Okclient error with untrusted apps page CSCsk76380 5.1 crystal report not working after upgrade to 5.2 on same machine CSCsk76435 Event Wizard created a generic rule from a specific event CSCsk76471 An API allow rule based on a specific function does not allow function CSCsk84929 incorrect tagging of non linear skbs resulting in runt packet msgs CSCsk91057 Restore from backup fail 1.5 Resolved Issues in 5.2.0.245 (Fourth official hotfix release - December 21, 2007) ------------------------------------------- 5.2.0.245: - Fourth OFFICIAL Hotfix release ------------------------------------------- Hotfix 5.2.0.245 addressed the following issues: Defect Description ------ ----------- CSCsi00295 OS crashes or hangs due to bad csa driver code CSCsj18283 Internal SQL Server error from the MC log CSCsk50326 BufferOverFlow detection - excessive trigger due to custom dotnet apps CSCsk81349 Enhancement - add variable resolution on target host . CSCsl12456 ciscosecui trigger an Installation in Progress events when activated CSCsl34196 More than 3900 character in local variable feature caused sql error CSCsl35138 stack overflow leads to dropped SYN-ACKs CSCsl37626 Leventmgr goes down upon receipt of invalid boot log data CSCsl41817 Double colon strings prevent CSA MC object save CSCsl46606 CSA 5.2 - csadiags - corrupted .evt files included in zip CSCsl48034 CSA does not detect crafted ports scan on Redhat 3 CSCsl54896 unexpected outgoing packet in recv path leads to covert channel event CSCsl59623 CSA hang with csauser.dll and Ricoh PA5 software installed CSCsl34925 CSA - csauser.dll conflict with EMC IRM add-ons 1.6 Resolved Issues in 5.2.0.262 (Fifth official hotfix release - June 04, 2008) ----------------------------------------------------------- 5.2.0.262: - Fifth OFFICIAL Hotfix release - June 4, 2008 ----------------------------------------------------------- Hotfix 5.2.0.262 addressed the following issues: Defect Description ------ ----------- CSCso35645 Version number migration on upgrades may fail CSCso02403 Agent machine BSOD with reference csacentr - driver locking issue CSCsl73308 ClientGui triggers multiple security disable/enable events CSCsm60185 Fix repetitive function calls when using OkStatusIsDeny() macro CSCsm24098 SQL Server deadlock prevents status summary display CSCsq19576 Incorrect resolution of network share files. CSCsk55890 CSA MC Status Summary page fails after unchecking the Reminder Window CSCsm36631 Agent ui - recreate of icon failed error in csalog CSCsm79443 ciscosecd loses tag for self-protection after boot CSCsm88817 DACL test results in a kernel panic due to stack overflow CSCsm85602 debug message filing csalog file CSCsm73976 Linux RPM need to be executible from fully qualified path name for RADIA CSCso02721 Linux: CSAagent installs but ciscosec will not start CSCso05044 CUP SIP Proxy intermittently proxy leaves invincible orphan CSCsl72921 DACLs load but do not work on red hat 4 CSCsk54337 Inefficient fileshim cache impacts CCM performance. CSCsl13885 5.2 CSA MC Event Details fails to download symbols without proxy server CSCso17658 Application Control rule deny inoperative on Red Hat agents CSCso23051 Files not tagged for FACL when opened with notepad from command line CSCso45497 Solaris: Deadlock condition triggers NIC down failure CSCso53234 Linux: AgentUI in taskbar failed to change SecLevel CSCso59298 kernel panic at __kill_pg_info on RHEL4 CSCso20542 CSA detected driver in kernel rule CSCso74540 CSAMC runs on Apache thats vulnerable to XSS via malformed HTTP method CSCsq23259 Database deadlocks during event purge CSCsm08129 massive events/event suppression cause event page fail to display CSCsq30277 solution needed for exporting policies with dynamic application classes CSCsl32945 unknown processes in events on rhel CSCsq34399 Unknown process denied accept conn. as a server on UDP port 67 CSCsm28713 False positive for VirtualAllocEx CSCsm68421 TCP conns stuck in FIN_WAIT_2 state if drives mapped before CSA inst. CSCso04638 Buffer overflow wizard creates incorrect pattern exception CSCso05057 CSA blocks outbound Multicast MAC traffic transporting TCP traffic CSCef69413 ASC query is displayed in the wrong session CSCsm13788 solaris kernel panic - unusual system call seen in syslog CSCso50665 Rule generation fails repeatedly due to sql query parallelism issue CSCsj53932 CSAMC 5.2 is vulnerable to SQL injection CSCso98606 Network Access Control wizard fails with large number of similar events CSCso98605 compiler warnings emitted during driver builds CSCsq14672 RHEL4 panics at hook_write() before csashims is loaded CSCsq07997 SYN Flood protection is enabled in Test mode CSCso23870 CSA may have killed the socks connector CSCsq00851 With CSA installed, SecurStar Server 2.2.7 cannot start CSCsm91886 CSA 5.2 hotfix cause windows error 0x80070057 CSCsq08129 Kernel panic on standby Sub during Load testing CSCsq27348 Database shrinkage operation times out after backup completion CSCso34058 DHCPv6 packets are blocked when CSA is enabled CSCsq41343 MC reachable state did not reset after disconnect VPN CSCsl04657 With NACL rules selected for a specific interface, Eventvwr shows errors CSCsl32956 netshield deny for traceroute inoperative on rhel3 CSCsl90533 CSAgent registry key was replaced with LEGACY_CSAgent key CSCsl97374 CSA 5.2 Event Wizard fails to include COM components for exceptions CSCsl06947 CSAMC co-location: Uninstalling one MC uninstalls JRE CSCsm58067 CSA MC event wizard fails to combine resources from similar events CSCsg04163 Performance degradation in 5.0.1/5.2 for Linux - Fileshim improvments CSCsl77352 Application Behavior Analysis does not appear to collect data CSCsm23466 MC upgrade did not update the sslhost cert CSCsm64761 File Access Control rule triggers incorrectly CSCsm64758 kernel panic in 5.2 on rhel4 CSCsm60306 Fail to communicate to the Domain controller server CSCsm50841 Solaris - csatdi appears to be locking up the CPU's CSCsm74271 Rules and Vars out-of-sync following rule compile failure 1.7 Resolved Issues in 5.2.0.263 (Sixth official hotfix release - June 06, 2008) ----------------------------------------------------------- 5.2.0.263: - Sixth OFFICIAL Hotfix release - June 6, 2008 ----------------------------------------------------------- Hotfix 5.2.0.263 addressed the following issues: Defect Description ------ ----------- CSCsi31462 False Pos: Global Event Correlation triggers on non Virus AV event CSCsq64150 Solaris - crash/segmantation fault in ciscosecd at 0x1000c1188 1.8 Resolved Issues in 5.2.0.272 (Seventh official hotfix release - October 20, 2008) ===================================================== | NOTE: All fixes from previous CSA 5.2 builds are | | also included in this hotfix release | ===================================================== ----------------------------------------------------------------- 5.2.0.272: - Seventh OFFICIAL Hotfix release - October 20, 2008 ----------------------------------------------------------------- Hotfix 5.2.0.272 addressed the following issues: Defect Description ------ ----------- CSCsq73987 Wizard fails for events with incorrect network interface specification CSCeh25293 uninstall CSA turns on XP firewall automatically CSCsr07349 Incomplatible with slapd using UTF8 character set CSCsu09290 CSA 5.2 agent causes Unity's RSKdataservice crash CSCsu75016 CSA BSOD when Microbus mobile PC environment installed =============================================================================== 1.9 Known Issue of Importance in 5.2.0.272: - Customers installing Data Filters on Solaris will encounter defect CSCsf13720. Please contact the Cisco TAC. =============================================================================== 1.10 Additional Instructions for New Enhancements 1.10.1 Additional LDAP configurations available for CSAMC login authentication The "Login Configuration" screen has under went a number of significant changes in the current hot fix release. Previously configuration was limited in customer deployments. The intent of the new configuration is to enable the CSAMC to be deploy in more LDAP configurations. 1.10.1.1 LDAP configuration supports secure communication to server. To enable secure communication from the CSAMC to the authenticating server, check the "Use SSL" checkbox. 1.10.1.2 LDAP Authentication now supports multiple LDAP directories under the same LDAP server. This mode is same as the existing mode except that it allows multiple Organizational Units (OUs) and is active when the “LDAP User Search Mode” checkbox in the UI is NOT checked. Currently CSAMC can authenticate against users under only one Organizational Unit (OU) in the LDAP directory. The current implementation authenticate against each OU in the same order as specified by the user, until success or failure. The authentication will proceed with the next OU *only* if the user does not exist in the given OU. If the authentication fails (ie., wrong password but user exists), then the authentication is declared to have failed. 1.10.1.3 LDAP Authentication shall support searching for a given user under a LDAP directory, and then authenticating against the user. This mode is enabled when the “LDAP User Search Mode” checkbox in the UI is checked. Currently CSAMC authenticates only against users who are the “immediate” children of the given OU. No users under sub-OUs are considered. In this mode, all the users under the subtree of the given Base DN are considered for authentication. As in 1.10.3.2, the user can give a number of Base DN’s to consider. To search for the user in the LDAP directory, CSAMC would need to authenticate itself to the LDAP server. This authentication information should be given by the user under the LDAP Authentication column in the UI. 1.10.1.4 LDAP Authentication shall restrict authentication only to users who belong to a specified Active Directory Group. This mode is a sub-mode of “LDAP User Search Mode”. This mode is enabled when the “AD Group Restriction” checkbox in the UI is checked. This mode shall ensure that CSAMC authenticates only against users who belong to the given AD Group (as specified by the Group DN input). 1.10.2 Addition local variable resolution to support OEM standalone agents CSA Version 5.2.0.245+ provides a way to customize policies based on registry settings on the Windows agent machines. This support is via the @(reg HKLM\keyname\valuename) syntax which can be used in various places to provide this capability. In particular, it can be used as a port number, an ip address or a registry key name. However, this is intended for static configuration items. The values in the various registry entries will be looked up once and those values will then be used. If the keyname\valuename is not found on the end system, then the value 0 or the null string is substituted. Alternatively, the default= keyword can be used. For example, in a network service: tcp/@(reg HKLM\software\mykey\myhttpport default=80) For ranges (either port ranges or address ranges), each end of the range must be specified literally or using the @reg syntax. For example: tcp/@(reg HKLM\software\mykey\portlow default=5000)-@(reg HKLM\software\mykey\porthigh default=5199) It is not possible to specify a port range or an address range with a single @reg keyword. If a registry change is made that changes a referenced value, it is recommended to reboot the system for new values to be used.There is no semantic checking performed of the values found in the registry. When used in a fileset, the value from registry is taken to specify the file path. Wildcard characters such as * can be used in the registry only when @reg syntax is used with the registry set. When the value is missing, default value provided is either 0 or the null string. This may not do what you want. For this reason, it is always safest to use the default= keyword to specify a default value. This feature is only available for Windows agents. This feature is intended for OEM vendors of standalone CSA agents. Customers who manage thier CSA agents centrally will find that deployment of registry values to endpoints is not scalable and the same facilities to configure variables centrally is found in the CSAMC. ================================================================================ 2. Cisco Security Agent Management Center (CSA MC) Update Instructions Upgrading: Applying v5.2.0.272 to an existing supported 5.2 installation: To apply the hotfix to an existing 5.2 CSA MC installation, net stop the csagent and csamc51 services via a CMD shell (or stop the Cisco Security Agent and Management Console for Cisco Security Agents v5.1 via the services applet). Then run the setup.exe file on the CSA MC system. When you run the setup file, follow the instructions that appear on screen. NOTE: The CSA MC upgrade process creates a backup of your previous database files. The upgrade calculates the size of your existing database and then checks to see if there is enough disk space to create the backup. If there is not enough space, you are prompted to abort the upgrade or to continue without creating a backup. After upgrading the CSA MC with the hotfix, a software update should be created and deployed to upgrade hosts running the previous version of software. ================================================================================ 3. Port Usage Information This section explains which ports are used for communication by the product. Web Browser to CSA MC communication uses port 443 (https). Cisco Security Agent to Management Center communication occurs over port 5401 Port 443 is used by default if port 5401 is not available. Port 80 is also required for agent kit caching. Analysis Jobs to CSA MC communication occurs over port 5401.