<<<>>> Trend Micro Incorporated December 26, 2016 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) InterScan(TM) Web Security Virtual Appliance 6.5 Service Pack 2 Critical Patch - Build 1737 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTICE: Trend Micro developed this critical patch as a workaround or solution to a problem reported by customers. As such, this critical patch has received limited testing and has not been certified as an official product update. Consequently, THIS CRITICAL PATCH IS PROVIDED "AS IS". TREND MICRO MAKES NO WARRANTY OR PROMISE ABOUT THE OPERATION OR PERFORMANCE OF THIS CRITICAL PATCH NOR DOES TREND MICRO WARRANT THIS CRITICAL PATCH AS ERROR FREE. TO THE FULLEST EXTENT PERMITTED BY LAW, TREND MICRO DISCLAIMS ALL IMPLIED AND STATUTORY WARRANTIES, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, NONINFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE. Contents ========================================================== 1. Critical Patch Release Information 1.1 Resolved Known Issues 1.2 Enhancements 1.3 Files Included in This Release 2. Documentation Set 3. System Requirements 4. Installation 4.1 Installing 4.2 Uninstalling 5. Post-installation Configuration 6. Known Issues 7. Release History 7.1 Prior Hotfixes 8. Contact Information 9. About Trend Micro 10. License Agreement ========================================================== 1. Critical Patch Release Information ====================================================================== This critical patch resolves several issues in InterScan Web Security Virtual Appliance (IWSVA) 6.5 Service Pack 2. Refer to "Resolved Known Issues" for more information. 1.1 Resolved Known Issues =================================================================== This critical patch resolves the following issue: Issue 1: [Critical Patch 1737] (TT-333456) A vulnerability in the InterScan Web Security Virtual Appliance (IWSVA) 6.5 Service Pack 2 program may allow certain irregularly formatted virus in HTTP responses to bypass it. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix removes the vulnerability to enable IWSVA to catch these virus in HTTP responses. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 1: To enable the solution: a. Install this hotfix (see "Installation"). b. Open the "intscan.ini" file in the "/etc/iscan/" folder. c. Locate or add the "scan_trunk_deep" key and set its value to "yes". NOTE: The default value is "no" which disables the solution. d. Save the changes and close the file. e. Restart HTTP daemon with the command: /etc/iscan/S99ISproxy stop;/etc/iscan/S99ISproxy start 1.2 Enhancements =================================================================== There are no enhancements in this critical patch. 1.3 Files Included in this Release =================================================================== A. Files for Current Issue ------------------------------------------------------------------- Filename Build No. ------------------------------------------------------------------- libdaemon.so 1737 svcmonitor 1737 isdelvd 1737 Files for Issue ------------------------------------------------------------------- Filename Build No. ------------------------------------------------------------------- libdaemon.so 1737 B. Files for Previous Solutions ------------------------------------------------------------------- Filename Build No. ------------------------------------------------------------------- libdaemon.so 1732 ftp_config_action.jsp 1709 ftp_config_dlp.jsp 1709 ftp_config_exception.jsp 1709 ftp_config_spyware.jsp 1709 libProductLibrary.so 1709 IWSSPIDpi.so 1709 appd 1709 AutoSetupAlchemySettings 1709 northamerica 1709 config_backup_popup.jsp 1709 client.py 1709 urlblocking.jsp 1712 server.xml 1712 IWSSPIUrlFilter.so 1715 dtasagent 1721 IWSSGui.jar 1731 urlf_policy_list.jsp 1721 custom_defense.jsp 1721 support.jsp 1721 support_capture_packet.jsp 1721 support_diagnostic_tool.jsp 1721 support_verbose_log.jsp 1721 upload_sample_sizing.jsp 1721 risk_level.jsp 1721 IWSSPIScanVsapi.so 1721 query_blacklist.py 1721 query_ddi_blacklist.py 1721 S99ISdtasd 1721 test_connection.py 1721 get_sandbox_feedback_blacklists.xml 1721 libicap.so 1726 LDAPTest 1730 IWSSPIScanVsapi.so 1735 libdaemon.so 1735 libProductLibrary.so 1735 libhttpproxy.so 1736 libHTTPSDecryption.so 1736 2. Documentation Set ====================================================================== To download or view electronic versions of the documentation set for this product, go to http://docs.trendmicro.com 3. System Requirements ====================================================================== Trend Micro recommends installing IWSVA 6.5 Service Pack 2 Patch 1 Build 1707 before installing this critical patch. 4. Installation ====================================================================== This section explains key steps for installing the critical patch. 4.1 Installing =================================================================== To install: 1. Download the "iwsva_65_sp2_ar64_en_cpb1737.tgz" critical patch file to your local hard disk. 2. Log on to the IWSVA admin console GUI. 3. Go to the "Administration > System Updates" page. 4. Click "Browse". 5. Browse your local hard disk for the "iwsva_65_sp2_ar64_en_cpb1737.tgz" critical patch file and click "Open". 6. Click "Upload". Your browser uploads the critical patch file to IWSVA which validates if the file is a legitimate critical patch. 7. Click "Install" to apply the critical patch and update IWSVA to build 1737. The HTTP and FTP services in IWSVA restart automatically. NOTE: Applying this critical patch interrupts the HTTP and FTP services for several minutes. Plan appropriately for this downtime. 8. Clear the browser cache. 4.2 Uninstalling =================================================================== To roll back to the previous build: 1. Log on to the IWSVA admin console GUI. 2. Go to the "Administration > System Updates" page. 3. Click "Uninstall" next to "cpb1737" and verify the critical patch ID and description in the confirmation page that appears. 4. Click "Uninstall" to remove Critical Patch 1737 and rollback IWSVA to the previous build. The HTTP and FTP services in IWSVA restart automatically. NOTE: Removing this critical patch interrupts the HTTP and FTP services for several minutes. Plan appropriately for this downtime. 5. Post-installation Configuration ====================================================================== No post-installation steps are required. NOTE: Trend Micro recommends that you update your scan engine and virus pattern files immediately after installing the product. 6. Known Issues ====================================================================== There are no known issues for this hotfix release. 7. Release History ====================================================================== For more information about updates to this product, go to: http://www.trendmicro.com/download 7.1 Prior Hotfixes =================================================================== NOTE: Only this hotfix was tested for this release. Prior hotfixes were tested at the time of their release. Hotfix 1710 Issue: [Hotfix 1710] (TT-349268) When HTTPS decryption is enabled, IWSVA cannot load an HTTPS webpage if the HTTP header does not contain a "Content-length" or "Transfer-Encoding" heading. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix ensures that users can access HTTPS websites successfully while HTTPS decryption is enabled. Hotfix 1712 Issue: [Hotfix 1712] (TT-348926) Microsoft(TM) Internet Explorer(TM) stops responding when users import the list of blocked URLs to IWSVA and the list has more than 7000 entries. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix updates the parsing algorithm to improve the parsing speed to enable Internet Explorer to handle large blocked URL lists. Hotfix 1714 Issue: [Hotfix 1714] (TT-351297) When a client uploads files to a server through an application server and IWSVA scans the files through ICAP, IWSVA does not allow the acknowledgment traffic (0-byte file) to pass and sends an error code 100 instead. This happens because IWSVA checks the "Encapsulated:" ICAP header only which does not have a "null-body". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix enables IWSVA to check both the "Encapsulated:" ICAP header and the "Content-length" HTTP header so that if the "Content-length" is "0", it will also treat it as a "null-body". This ensures that IWSVA allows the acknowledgment traffic (0-byte file) to pass. Hotfix 1715 Issue: [Hotfix 1715] (TT-351297) IWSVA stops unexpectedly when it calls the strncpy function and the length of the char pointer is "0". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix resolves the issue by enabling IWSVA to check the length of the char pointer before calling the strncpy function. Hotfix 1716 Issue: [Hotfix 1716] (TT-352892) IWSVA cannot save changes to the priority setting of a URL filtering policy if the current policy priority is lower than 2498. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix ensures that IWSVA can save changes to the priority setting of a URL filtering policy. Hotfix 1717 Issue: [Hotfix 1717] (TT-352982) The URL filtering feature of IWSVA 6.5 Service Pack 2 may block the wrong domains. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix ensures that IWSVA can correctly match URLs with the filtering policy so that it blocks the correct domains. Hotfix 1721 Enhancement: This hotfix integrates the Trend Micro Deep Discovery Inspector and Trend Micro Control Manager(TM) SO acquirement interface into the IWSVA web console. This enables IWSVA to retrieve the SO list from both products, to block SO's on the list including IPs, URLs, domains, and files, and perform Advanced Threat Protection scanning. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure: To enable the feature: a. Open the "intscan.ini" file in the "/etc/iscan" folder. b. Locate or add the "so_integration_enabled" key and set its value to "1". Note: To disable the feature, set "so_integration_enabled=0". c. Save the changes and close the file. d. Refresh the "HTTP > Advanced Threat Protection > Custom Defense > Custom Defense Settings" page. Hotfix 1726 Issue 1: [Hotfix 1726] (TT-350383) After updating to IWSVA Service Pack 2 Build 1707, users may not be able to browse HTTPS websites properly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix resolves the issue by ensuring that IWSVA can correctly handle the TCP FIN, so that when this is killed in the webserver, the corresponding HTTP header will keep it alive. Issue 2: [Hotfix 1726] (TT-351297) When a client uploads files to a server through an application server and IWSVA scans the files through ICAP, IWSVA does not allow the acknowledgment traffic (0-byte file) to pass and sends an error code 100 instead. This happens because IWSVA checks the "Encapsulated:" ICAP header only which does not have a "null-body". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This hotfix enables IWSVA to check both the "Encapsulated:" ICAP header and the "Content-length" HTTP header so that if the "Content-length" is "0", it will also treat it as a "null-body". This ensures that IWSVA allows the acknowledgment traffic (0-byte file) to pass. Issue 3: [Hotfix 1726] (TT-352011) Websites do not load properly when HTTPS decryption is enabled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This hotfix resolves the issue by enabling IWSVA to properly handle zero length data from a webserver (for example, "https://www.it.nrw.de"). Issue 4: [Hotfix 1726] (TT-352635) the isftpd process triggers a 100% CPU usage issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This hotfix adds the isftpd process to the approved list in IWSVA to prevent the high CPU usage issue. Hotfix 1728 Issue: [Hotfix 1728] (TT-352510) An issue may prevent source IWSVA devices from sending chunked data to registered child IWSVA devices. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix resolves the issue by allowing the source IWSVA device to choose between chunked mode or content- length mode response to child IWSVA devices. Hotfix 1729 Issue: [Hotfix 1729] (TT-355847) Dropbox cannot sync in bridge mode after users add "dropbox.com" to the global trusted list. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix resolves the issue by enabling IWSVA to run through the list of global trusted domains before it attempts to connect to websites. Hotfix 1730 Issue 1: [Hotfix 1730] (TT-357017) The LDAP server diagnostic tool returns a "failed" result even when the LDAP server has connected normally. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix ensures that the diagnostic tool returns the correct LDAP server connection results. Issue 2: [Hotfix 1730] (TT-355574) HTTPS request authentication may fail when IWSVA is deployed in bridge mode between a client and the upstream proxy and the upstream proxy uses Kerberos authentication. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This hotfix ensures that HTTPS request authentication can run successfully under the scenario described above. Hotfix 1731 Issue 1: [Hotfix 1731] (TT-351773) End users cannot see the shared remote desktop using Skype in Web Cache Communication Protocol (WCCP) mode. This issue occurs because the OpenSSL module sends an alert message when it comes across Skype HTTPS traffic. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix handles this issue to channel Skype HTTPS traffic. Issue 2: [Hotfix 1731] (TT-355725) Non-administrator users are able to go beyond their access permissions and apply administrator operations. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This hotfix validates the user's permissions before applying administrator operations in the web service process. Hotfix 1732 Issue: [Hotfix 1732] (TT-357304) In some situations, the InterScan(TM) Web Security Virtual Appliance (IWSVA) FTP daemon may cause high CPU usage. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix resolves the high CPU issue for the FTP daemon. Hotfix 1733 Issue 1: [Hotfix 1733] (TT-355470) If the IWSVA user information sync fails from the trust domain of the Global Catalog, even if the user authenticates successfully through Global Catalog, the connection still fails. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix resolves this issue by letting the connection pass when the user authentication is successful, even if the user information sync failed from the Global Catalog. To enable the function: 1. In [/etc/iscan/intscan.ini]: In section of [http], set the value of the key [pass_auth_not_in_ldapcache] to "yes". 2. In [/etc/iscan/intscan.ini]: In section of [LDAP-Setting], set the value of the key [Prefer-sAMA] to "yes". 3. Logon into IWSVA with SSH, and restart http proxy with the follow command: /etc/iscan/S99ISproxy stop;/etc/iscan/S99ISproxy start ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hotfix 1735 Issue 1: [Hotfix 1735] (TT-352640) InterScan Web Security Virtual Appliance (IWSVA) cannot tunnel the failed extract file. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix ensures IWSVA can tunnel the failed extract file by enabling a hidden key. To enable this function: 1. In [/etc/iscan/intscan.ini]: In the [Scan-configuration] section, set the value of the [failed_extract] key to "pass". If the key [failed_extract] does not exist, add the key. 2. In [/etc/iscan/intscan.ini]: In section of [Scan-configuration], add the value "Failed_Extract_File" to the key [skipSpecificVirus]. 3. Log on to IWSVA with SSH, and restart the HTTP proxy with the follow command: /etc/iscan/S99ISproxy stop;/etc/iscan/ S99ISproxy start Issue 2: [Hotfix 1735] (TT-357285) The "*.co/*" should not match the "*.com:443" value when IWSVA performs URL matching. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This hotfix ensures that IWSVA can perform URL matching normally. Issue 3: [Hotfix 1735] (TT-350271) The IWSVA cannot send the correct event time to Control Manager when the system time zone in a daylight. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This hotfix ensures IWSVA could not send the correct event time to Control Manager when the system time zone in a daylight. Issue 4: [Hotfix 1735] (TT-357018) In some situations, the InterScan(TM) Web Security Virtual Appliance (IWSVA) may cause slowness browsing issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This hotfix resolves the slowness browsing issue. Hotfix 1736 Issue 1: [Hotfix 1736] (TT-357135) HTTPS pages will not load when the UA string is Internet Explorer 11. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix handles the SSL alert message, which the HTTPS server sends to IWSVA to resolve the decryption issue. 8. Contact Information ====================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products. http://www.trendmicro.com/us/about-us/contact/index.html NOTE: This information is subject to change without notice. 9. About Trend Micro ====================================================================== Smart, simple, security that fits As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Copyright 2016, Trend Micro Incorporated. All rights reserved. Trend Micro, InterScan, and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 10. License Agreement ====================================================================== View information about your license agreement with Trend Micro at: http://www.trendmicro.com/us/about-us/legal-policies/ license-agreements/ Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Administrator's Guide