STEALTHWATCH SYSTEM VERSION RELEASE NOTES

Transcription

1 STEALTHWATCH SYSTEM VERSION RELEASE NOTES This document provides the following information: What's New What's Been Fixed summarizes fixes made for issues reported by customers: o Version o Version o Version Known Issues in this release. For all features included in Stealthwatch v6.10, refer to the release notes for each previous version: v and v For a list of alarm types and their IDs, access the Alarm IDs file. You can also access this document via the Alarm List topic in the SMC Client Interface online help. For additional information about the Stealthwatch System, go to the Customer Community. Important: For enhanced security, before you add a Flow Collector or Flow Sensor in the System Setup Tool, you must have first created a management channel between the Flow Collector and/or Flow Sensor and the Stealthwatch Management Console (SMC). If you have not done this, you will receive an error message when you try to add either appliance in the System Setup Tool. The specific instructions are on page 43 in the Stealthwatch Management Console VE and Flow Collector VE Installation and Configuration Guide or page 15 in the Hardware Configuration Guide. If your Stealthwatch System is v6.9.0 or v6.9.1, install the latest/any required rollup patch files on Stealthwatch's Download and License Center, before upgrading. If your Stealthwatch System is v6.9.2 or later, the rollup patch is not required to upgrade to v6.10. Due to an error with the system upgrade file, upmanrepo.swu, you will have to use the individual appliance swu files to update your system. See Known Issues for more information. If FIPS mode was enabled in an earlier version of software (prior to v6.10), 2019 Cisco Systems, Inc. All Rights Reserved. 1

2 disable FIPS mode before you update the software to v6.10. The following non-admin access modifications have been made: o For any versions prior to v6.10, a non-admin user without an assigned function role can access the SMC Web App but cannot access the SMC client interface. Once an admin user assigns a non-admin user a function role, that user will also be able to access the SMC client interface. o Beginning with v6.10, a non-admin user cannot access the SMC client interface or the SMC Web App until assigned a function role. For increased security, we recommend updating the IDentity 1000/1100 appliance to v3.3.0.x to take advantage of the new openssl version with TLS 1.2. WARNING! It is important to enable an alternative method to access your Stealthwatch appliances for any future service needs, using one of the following: Hardware* Console (serial connection to console port): Refer to the latest Stealthwatch Hardware Installation Guide to connect to the appliance using a laptop or a keyboard and monitor. idrac Enterprise (Dell appliances): Refer to the latest documentation for your platform at idrac Enterprise requires a license, and idrac Express does not allow console access. If you do not have idrac Enterprise, direct console or SSH can be used. CIMC (UCS appliances): Refer to the latest Cisco UCS guide for your platform at computing/ucs/c/sw/cli/config/guide/b_cisco_cimc_cli_configuration_ Guide/Cisco_CIMC_CLI_Configuration_Guide_chapter1.html Virtual Machines* Console (serial connection to console port): Refer to the latest KVM or VMware documentation for your appliance installation. For example, for KVM, see the Virtual Manager documentation at For VMware, see the vcenter Server Appliance Management Interface doc Cisco Systems, Inc. All Rights Reserved.

3 umentation for vsphere at vsphere/6.0/com.vmware.vsphere.vcsa.doc/guid-223c2821-bd98-4c7a- 936B-7DBE96291BA4.html *If you cannot log in to the appliance using these methods, you can enable SSH on the appliance network interface temporarily. WARNING! When SSH is enabled, the system s risk of compromise increases. It is important to enable SSH only when you need it. When you are finished using SSH, disable it. 1. Log in to the Appliance Admin interface. SMC: Log in to the SMC. Click the Settings icon > Administer Appliance. 2. Click Configuration > Services. 3. Check the Enable SSH check box to enable SSH. To allow the root user SSH access, check the Enable Root SSH Access check box. 4. Click Apply. Notes: This document uses the term "appliance" for any Stealthwatch product, including virtual editions (VEs) such as the Flow Collector VE. Stealthwatch does not support installing 3rd party applications on appliances. Stealthwatch requires Java Version 8 Update 161 (v1.8.0_161) or later. Stealthwatch requires TLS v1.1 or later. Stealthwatch supports the latest version of Chrome, Firefox, and Edge, and Internet Explorer v11. Where once the setting "disabled" for a security event disabled the event, now disabling will disable the alarm. To view the supported hardware platforms for each system version, refer to the Hardware and Version Support Matrix on the Customer Community Cisco Systems, Inc. All Rights Reserved. 3

4 What's New These are the new features and improvements for the Stealthwatch System v release: Cognitive Analytics Enhancements Cognitive Analytics Enhancements Note: To see the full list of enhancements for the Cognitive engine, refer to the Cognitive Analytics Release Notes. Superforest CTA can now leverage detections from the analysis of WebFlow telemetry to improve the efficacy of analyzing NetFlow telemetry from Stealthwatch. This is accomplished by the system through correlation of both telemetry types. According to measurements by Cisco, the number of both confirmed and detected threats should increase by approximately 10% Service Modeling Service modeling is now available for internal servers (on-demand for Stealthwatch customers). The internal servers are specified using the host group definitions. By configuring an internal host group to send Stealthwatch flow records, the user adds additional data to be sent to the Cognitive cloud for analysis. Service Modeling focuses on company internal servers (e.g. mail servers, file servers, web servers, authentication servers etc). Analyzing additional traffic from the end users to those servers can improve the visibility of the exposure of data that may have been misused by malware running on the affected end user devices. Please do not check all the host groups for sending the data. Only check those host groups that represent internal servers. Stealthwatch Botnet Classifier CTA can now detect botnets on Stealthwatch flows characterized by a uniform anomalous/unknown communication to many external nodes. In combination with other features, the SVM (Support Vector Machine) classifier is trained specifically to provide high generalization. Migration to Amazon Web Services (AWS) Cloud Cognitive Analytics will migrate to the AWS Cloud in August Due to this, the Cognitive URLs and IP addresses will change. For more information, refer to the Field Notice Cisco Systems, Inc. All Rights Reserved.

5 What's Been Fixed This section summarizes fixes made in this release for issues (bugs/defects) reported by customers in previous releases. The Stealthwatch Defect (SWD or LSQ) number is provided for reference. Version SWD-8115 Multiple instances of the process "acpi_pad" was causing the system to become non-responsive. We blacklisted the "acpi_pad" process to fix this issue. LSQ-2836 SWD-8142 SWD-9128 SWD-9702 SWD-9763 The Database backup is generating errors at the final stage of the process. Improvements have been added to repeat the Vertica backup process in case of resync errors. Temporary files for flow stats were deleted when disk space was less than 75%. This code was removed in order to let the code that checks disk usage handle any necessary file removals. Modified the Flow Collector engine to handle ICMP type and code sent in the NetFlow source port field instead of destination port. The SMC failed to request user information from Active Directory. Updated the SMC to take the user information when the format is "domain\username" or "domain username". LSQ-2838 LSQ-3123 LSQ-3175 LSQ-3262 SWD-9822 Fixed an issue where the database backup failed. LSQ-3447 SWD-9913 Updated the Cognitive Analytics integration to work with trial licenses. LSQ-3675 SWD-9934 Queries for security events failed with a Vertica error. Updated the code to finish installing Vertica default packages. LSQ-3578 SWD SWD Associated flows information was incorrect. Updated SETI and the SMC Web App interface online help to have the correct associated flows information. Incorrect error message for quarantine and unquaratine failure on the SMC. Updated the error message. LSQ-3415 LSQ Cisco Systems, Inc. All Rights Reserved. 5

6 SWD Flow information was not showing up when using a Cisco 3504 Wireless LAN Controller. Previously, the engine automatically assigned Interface #1 to flows missing Input and Output SNMP Interface IDs. Because of potential conflicts with an actual Interface #1, we decided to use INT_MAX for this assignment. LSQ-3432 SWD SWD SWD SWD SWD SWD SWD SWD SWD SWD DBNodeRetentionManager was not waiting long enough between partition drops which caused all partitions to be dropped. A back-off algorithm was implemented in the retention code to allow enough time for the disk space to be freed between partition drops. The Flow Collector 5000 engine had SIGSEGV error at various functions. Added more data input validation on Information Elements so the engine emits decode errors instead of crashing. Added a script to set the ethx rx buffers to the maximum allowed value (typically 4096) on physical UDP Directors to improve performance. Updated the code to handle a "NullPointerException" error when receiving ISE- PIC sessions without username information. The Admin Interface UI hangs after clicking "Test" on the Remote File System page. Added better error handling for the Admin UI. The Flow Collector diagnostic pack stored too many log files. Updated the diagnostic pack to only contain the vertica.log. Updated the database queries to use AVG function to avoid the sum overflow problems. Added a check to make sure the Flow Collector engine is up before the SMC sends configuration changes. The engine had a SIGSEGV error in update_app_definitions. Ensured that all resource memory pool deletions are followed by setting the variable using the memory to NULL. LSQ-3444 LSQ-3454 LSQ-3463 LSQ-3472 LSQ-3483 NA LSQ-3487 LSQ-3466 LSQ Cisco Systems, Inc. All Rights Reserved.

7 SWD The Flow Collector engine had an overflow when calculating BPS values. LSQ-3424 SWD SWD SWD SWD SWD SWD SWD SWD SWD SWD Bytes and packets value handling was modified to perform data validation and ensure the average packet size is bytes or less. The unlicensed feature message was being displayed for the Flow Sensor. Changed the default setting for the message to show the appropriate status. Top Peers flipping the client/server when selecting "Flows". Modified the code to now swap hosts when creating a flow filter from Top Peers. Removed "Inbound" from the legend for two charts on the Interface Traffic Dashboard. User authentication failed due to login file descriptors not being closed. Updated the code to close the file descriptors after a user logs out. Updated the SMC UI to not show the FPS exceeded warning on properly licensed appliances. The engined crashed with the error "Thread interrupted" while processing flows. Updated the engine to handle situations where the flow classification threads get backed up temporarily. Filtering the Flow Table by payload and username fails with 500 internal server error. Fixed the Flow Table filter xml sequence issue. Resync from SMC caused the Flow Collector engine to stop. Fixed the code to restart the engine properly Updated the Flow Collector to correct permissions on configuration files when needed. Deleting a domain on a primary SMC did not remove it from a secondary SMC in a failover pair. The entire configured call list of the selected domain is sent to the secondary SMC on deletion. LSQ-3433 LSQ-3397 LSQ-3486 LSQ-3554 LSQ-3335 LSQ-3579 LSQ-3537 LSQ-3600 LSQ-3630 LSQ-3624 LSQ-3624 LSQ Cisco Systems, Inc. All Rights Reserved. 7

8 SWD The Flow Search wasn't loading the Host Group Selector panel and the Exporter and Interface panel. Updated the UI components to handle larger amounts of host groups and exporters. LSQ-3637 SWD SWD DBNodeRetentionManager was not dropping the large partitions causing new flow data to not be inserted. Modified retention code to drop any invalid partitions (those with dates before 1980) at each retention check. Any drops of these partitions will be logged with a warning "Dropped invalid partition for <table name>". The code also drops up to 5 partitions each retention period when over the disk usage threshold. Disk space is checked after each drop and when usage drops back below threshold, no more partitions are dropped for that period. Vertica was inserting data when the database disk space was full, causing the system to crash. Modified the Flow Collector 5000 engine code to query Vertica for disk usage over the database channel. This allows the engine to stop database inserts when disk usage reaches the critical level on the database node even if the communication channel is down. LSQ-3623 LSQ-3623 SWD Cleaned up the svc-ise-client.log to help with troubleshooting issues. LSQ-3639 SWD The Flow Collector 5200 engine was running out of memory. The fix is to limit the number of processing threads based on the available memory. The calculated process_instance_count will be limited to 13 on a Flow Collector 5200 series appliance. This value can still be manually set in lc_thresholds.txt. LSQ-3600 SWD Multiple errors causing the Flow Collector engine to crash. Fixed an out of bounds array reference that could corrupt memory and lead to a crash. LSQ-3600 SWD Updated SETI version. NA SWD Improved performance by updating the code to select the newest Vertica partition to search for the last flow identifier used instead of searching all Vertica partitions. LSQ-3656 LSQ-3670 SWD Updated the fileshare password field to accept the special character. LSQ-3665 SWD Updated the User Details field for Subject and Peer on the Flow Search page to allow usernames with special characters and wildcard characters. LSQ Cisco Systems, Inc. All Rights Reserved.

9 SWD SWD Added support for the underscore character in ST_Value pattern of /lancope/admin/lib/system.xsd. Removed the code to swap Security Group Tag IDs when client and server were swapped in the engine. LSQ-3678 LSQ-3650 SWD Removed "Inbound" from the Host Group Traffic Chart legend. LSQ-3704 SWD SWD The Flow Sensor was missing flowsensor.xml after install. Updated the start_fs process so that it will write out a default flowsensor.xml when the service is started. Updated the high total traffic associated flow table to include the sum of client and server bytes whether the traffic is from the client or server. LSQ-3725 LSQ-3729 LSQ-3632 Version SWD-8225 Updated SETI version. NA SWD-9122 The SMC was not getting ISE sessions. Removed the Kafka service. NA SWD-9559 SWD-9873 SWD-9875 SWD-9902 The Flow Collector engine had a SIGSEGV error at search_threat_host. Reworked threat feed code to minimize the locking time of the processing threads. The alarm count was mismatched from the Alarming Hosts component on the Security Insight Dashboard and the alarms on the host list view. Updated the help text pop-up to explain that the number in the Alarming Host component displays the number of hosts receiving alarms since the last reset hour. Clicking on the alarm number will navigate to a host list view with an alarm category filter applied. These two numbers can be different. The Flow Sensor 3000 system memory was running low. The packet buffer size for the flowsensor process was decreased to free up approximately 1G on 16G platforms. SMC triggered "Cisco ISE Management Channel Down" false alarm. Updated the alarm to use the svc-ise-client microservice to ascertain status of configured ISE clusters. LSQ-3208 LSQ-3330 LSQ-3344 LSQ Cisco Systems, Inc. All Rights Reserved. 9

10 SWD-9983 The database storage "Worst Case" value for "capacity in days" and "remaining days" was incorrect. Fixed the code so that the values are no longer negative. LSQ-3367 SWD-9996 The Not Matched field in the output.log did not increment when the source/destination IP address mismatched the forwarding rules configuration on the UDP Director. A fix has been provided to increase the Not Matched count. LSQ-3370 SWD The SMC and Flow Collector did not have enough memory allocated for Tomcat. Separated the JVM settings for each appliance so that Tomcat memory allocation varies depending on the appliance. LSQ-3305 LSQ-3453 SWD Improved packet query logging. LSQ-3418 SWD The Update Progress window showed a negative number. Changed the logic that's used for determining the total expected file size so that it can support values greater than 2GB. LSQ-3424 SWD SWD Updated Security Group Tags (SGT) information in the SMC Web App inferface online help. Increased the default buffer length for the UDP Director to reduce "Last Dropped" counts. LSQ-3461 LSQ-3463 Version LVA-221 STE-84 Vim did not properly validate values for tree length when handling a spell file, which may have resulted in an integer overflow at a memory allocation site and a resultant buffer overflow. Port number for the server and protocol information have been added to the Response. STE-97 Updated Support Contact information within Stealthwatch. NA SWD-7143 The lc_profiles process on the Flow Collector was very slow. Revamped the host group lookup functionality to fix a bottleneck. NA NA LSQ Cisco Systems, Inc. All Rights Reserved.

11 SWD-7540 SWD-7688 SWD-7549 The selection for "Second" in Flow Table Filter was removed because the seconds rounded up to the next minute anyway. The flow traffic on the Flow Sensor 4010 showed no utilization with non-zero inbound traffic. We fixed the SMC detection of the Flow Sensor fiber port interface speeds used in utilization calculations. LSQ-2652 LSQ-2649 SWD-7599 SWD-7615 SWD-7621 SWD-7643 SWD-7644 There was a database backup return error on system configuration. Updated the backup routines to handle file copies to CIFS destinations differently. The Hardware Configuration Guide had an error in the Configure Primary UDP Director section. The guide was updated with the correct information. The Top Conversations Report was not returning all results when a host filter was used. The fix was to correct the miscalculation while computing the transaction report values in the Top Conversations Report. The delete option for an SSL Client certificate did not work on a secondary SMC. The fix was to allow the add/delete function for SSL client certificates in a secondary SMC. The Top Conversations transaction report was showing incorrect values. A fix has been provided to avoid duplicate values and show the appropriate number of records for each Flow Collector in the transaction report. LSQ-2621 LSQ-2572 LSQ-2674 LSQ-2679 LSQ-2593 LSQ-2626 LSQ-2593 SWD-7653 IDentity v3.3.0 does not support TLS 1.0 or 1.1. LSQ-2712 SWD-7676 The SMC Java client was updated so that the customer could use TLS v1.2 for connections back to the SMC. Users could not create a diagnostics pack for an appliance. The fix corrected an exception in the audit log when creating a diagnostics pack. LSQ Cisco Systems, Inc. All Rights Reserved. 11

12 SWD-7689 The CPU average load calculation, on the SMC client interface dashboard, was incorrect. The CPU average load has been updated to reflect the updated appliances. LSQ-2677 SWD-7692 SWD-7700 SWD-7708 SWD-8137 SWD-7765 SWD-7787 SWD-7824 SWD-7862 The Top Conversations Report did not return all results when filtering hosts. In the Top Conversations report, the problem was in generating reports if more than one Flow Collector was configured. The fix corrects the query to collect all required data from data base for all required Flow Collectors. The Flow Collection Trend chart had gaps due to TextCopyHandler failing to read files at /lancope/var/smc/tmp folder. Resolved an issue where scheduled reports would terminate existing SMC data loading processes under certain conditions. Users could not import of DAR and XML files to Document Builder. This patch fixes issue with launching a new report from document builder that has several pages that are named alphabetically. Flow data queries across multiple flow collectors do not return consistent ordering. The fix is to order the records returned for a flow query by flowid when a specific ordering is not requested. This prevents different invocations of this method from returning different results. The Flow Table Service Summary and Service Port columns had mismatched port addresses. Fixed an issue where the service summary port was not updated to match the server port for certain flows. Flow query was failing for IPv6 IP address range 0000-FFFF. The flow query filter has been corrected to recognize and search IPv6 input values. Associated flow table carried previous advanced filter values. The Flow Table retain filter option has been excluded from the associated flow table. LSQ-2593 LSQ-2727 LSQ-2738 LSQ-2652 LSQ-2710 LSQ-2613 LSQ Cisco Systems, Inc. All Rights Reserved.

13 SWD-7865 Stealthwatch Management Console had high memory usage for uwsgi appliance update process. Implemented a mechanism designed to prevent memory usage exceeding 4 GB by the uwsgi UPServ application. LSQ-2722 SWD-7963 SWD-7971 SWD-8072 SWD-8089 SWD-8107 SWD-8136 SWD-8142 SWD-8153 The client interface help was not showing topics when using the search tab. Fixed encoding error caused by a tomcat update. On the SMC Web app, Error retrieving host snapshot to build host entity view constantly received on Host Search. We updated the SMC Web app and the Vertica query to accommodate large numbers and overflow. Top Reports returns more records than the set limit when there are two or more Flow Collectors (LSQ-2822). The Top Reports queries have been updated to split the amount of records evenly between Flow Collectors. The selection for "Second" in Flow Table Filter was removed because the seconds rounded up to the next minute anyway. notifications for scheduled documents were not being logged properly. We fixed the log base path location from pointing to the incorrect directory. The Flow Collector changed models after upgrade. Updated the model.xml file to not change a system's memory size during upgrade. The Database backup was generating errors at the final stage of the process. Improvements have been added to repeat the Vertica backup process in case of resync errors. Flows were not being associated with all Host Groups that contained the associated IP address. The flow table was updated to allow a larger character limit (65,000) in the client and server host group strings, and we now allow 256 host groups per IP address. NA LSQ-2773 LSQ-2822 LSQ-2652 LSQ-2834 LSQ-2845 LSQ-2838 LSQ Cisco Systems, Inc. All Rights Reserved. 13

14 SWD-8182 UDP Director 2010 could not boot after upgrade. LSQ-2866 Fixed an issue with the kernel upgrading process. SWD-8200 SWD-8210 SWD-8239 SWD-8271 SWD-8314 SWD-8317 A Flow search with too many characters for a IP address range caused Vertica to crash. Changed the logic around constructing IP range searches. ISE "devicetype" field was empty. Provided value to "devicetype" from the "endpoint Policy" pxgrid field. Error when creating and configuring Custom Applications. A new java constructor has been added to avoid a bad request error when adding multiple custom application rules in the SMC. The Flow Sensor Management Channel Down alarm, triggered in the client interface, did not go inactive after one hour. Resolved an issue where certain alarms would fail to go inactive on the primary node of an SMC failover pair. The Flow Collector was not processing a non-zero DSCP field. Added support for the DSCP field. External Lookup failed with a 500 internal server error. Fixed the null pointer error when loading the External Lookup configuration page. LSQ-2869 LSQ-2880 LSQ-2765 LSQ-2829 LSQ-2865 LSQ-2893 LSQ-2859 LSQ-2911 LSQ-2912 SWD-8323 The SMC was utilizing a high amount of memory. LSQ-2904 SWD-8438 We refactored the SMC client interface code to improve UI responsiveness. The Flow Collector saved flow records from one source ID and discarded records with the other source ID. Added observation domain binding to the exporter stats in the cases where more than one exporting engine is exporting from a single exporter IP address using different source ID values. LSQ Cisco Systems, Inc. All Rights Reserved.

15 SWD-8477 Vertica MergeOut process was very slow for the flow_stats table. LSQ-2935 SWD-8540 SWD-8542 SWD-8559 SWD-8590 SWD-8591 SWD-8598 SWD-8608 SWD-8629 SWD-8635 SWD-8636 Added several Vertica database tuning parameters to remedy the ROS container backup problems. Unable to create and save maps when logged in as a non-admin user. Updated the error message to be more meaningful when a non-admin user creates a map without the proper permissions. Security Event details were missing in web application interface. Fixed an issue where Security Event details were always empty. The Online Help referred to an incorrect alarm name. Updated the help to refer to "Ping Oversized Packet" instead of "Long Ping". Tor traffic with no packets from server were alarming as "Successful". The alarm was updated to "Attempted". The Flow Sensor eth4 log was showing an invalid pointer error. Fixed the code to output the log message correctly. The Flow Sensor 3000 was not processing packets with multilayer VLAN tags. The engine has been modified to handle up to 4096 layered tags. The SMC document builder was not saving filter criteria. Fixed the document builder to retain appropriate input values in the common filter criteria. The SMC client interface was missing the "user management" menu. Users with "SMC manager" rights now have access to the "user management" menu. Cisco Senderbase links were incorrect on the External Lookup configuration page. Fixed broken links. The Traffic by Peer Host Group component was not displaying flow information. Updated the component to display flow data correctly. LSQ-2963 LSQ-2956 LSQ-2982 LSQ-2989 LSQ-2992 NA LSQ-2995 LSQ-2968 LSQ-3013 LSQ-3002 LSQ Cisco Systems, Inc. All Rights Reserved. 15

16 SWD-8661 SWD-8670 SWD-8676 Updated the flow-forwarder Docker container v2.2.2 to use less memory and turned on heap debugging options so that more information may be gathered when there is an issue with the Java (JVM) heap. The support information updated for STE-97 was translated into Korean, Chinese, and Japanese. The flow rate dropped when the Flow Sensor cache was full. Fixed an issue that caused packets to be dropped during processing when under load. LSQ-3022 NA LSQ-3023 SWD-8689 SWD-8701 SWD-8702 "Client Port Filtering" was not working with Fast Query selected. A query fix has been provided to make Client Port Filtering work correctly, with or without enabling fast query. OVF resource defaults did not match documented minimums. Updated the SMC and Flow Collector OVFs to 16 GB ram. Unable to edit response management rules in the SMC client interface. Fix added to handle null pointer errors when editing the rules in response management. LSQ-3031 NA LSQ-3038 SWD-8705 A Database Restore failed on a Flow Collector LSQ-3040 SWD-8708 SWD-8727 SWD-8758 SWD-8791 Fixed an issue where Vertica was not stopping correctly. TextCopyHandler failed to read files at /lancope/var/smc/tmp. Scheduled reports temporary file handling process has been improved to avoid SQL errors. Top Alarming Hosts widget was not loading due to unknown host exception error. The svc-sw-reporting container was updated to better handle dealing with exceptional data within the database. Default Services were missing under Host Locking Configuration. Updated the conditions to populate the services list correctly. The MongoDB compact script failed to save SMC configuration. Fixed a typo that caused the script to fail. LSQ-2987 LSQ-3048 LSQ-2987 LSQ-3004 LSQ-3048 LSQ-3052 LSQ Cisco Systems, Inc. All Rights Reserved.

17 SWD-8807 The client interface would redirect the user to the license manager page on a licensed SMC. Updated the code so that users are able to access the client interface on a properly licensed appliance. NA SWD-8819 SWD-9049 SWD-9051 SWD-9207 The Interface Service Traffic report was broken. Corrected an issue with the database query group used by the report. Limited the Vertica MaxMrgOutROSSizeMB parameter to 4096 in order to improve query response performance. The SMC client interface would not load due to a SSL Certificate corruption after restoring default certificates. Added additional actions to correctly restore the default certificates. HTML code appeared in the name of some graphs in the SMC client interface. The <br> HTML tag was removed. LSQ-3066 LSQ-3071 LSQ-3094 LSQ Cisco Systems, Inc. All Rights Reserved. 17

18 Known Issues This section summarizes issues (bugs) that are known to exist in this release. Where possible, workarounds are included. The defect number is provided for reference. Defect Number Description Workaround LVA-306, LVA-307 If you have an untrusted virtual machine installed on the same physical cluster/system as a Stealthwatch appliance, the Stealthwatch appliance is vulnerable to a side-channel attack that can expose private keys. A vulnerability was disclosed for the gnupg software package suite. This vulnerability involves a side-channel attack against the gnupg implementation of the RSA cryptographic algorithm. When RSA keys are in use on the system, the implementation allows for the recovery of bit length private keys. Additionally, it experimentally appears that 13% of the 2048 keyspace is vulnerable as well. More details about the vulnerability can be found by reading the white paper located at The risk from this side-channel attack applies where the private key is in use on the system. For Stealthwatch customers, this applies to SSH and HTTPS sessions. For Important: Do not install an untrusted physical or virtual machine on the same physical cluster/system as your Stealthwatch System appliances. Important: If you are upgrading the system to v6.10 from an earlier version, confirm all appliances have the latest patch files installed. To review the Stealthwatch appliance vulnerability, complete the following steps: 1. Log in to the Stealthwatch Appliance Admin. 2. Click Configuration > Services. Review the SSH section. If the Enable SSH box is checked, you need to regenerate the RSA host key pair using the instructions shown below. 3. Click Configuration > SSL Certificate. Review the installed certificates. If there are custom certificates installed using the RSA or RSA-2048 bit keys, you must regenerate new certificates. 4. Click Configuration > Certificate Authority Certificates. Review the installed certificates. If there are custom certificates installed using RSA-1024 or RSA-2048 bit keys, you must regenerate new certificates. If the SSH service is enabled on the appliance, regenerate the RSA host key using the following instructions. You will regenerate the RSA host key on every appliance in the system. 1. SSH onto the SW Appliance as root or using the root terminal option in the sysadmin menu. 2. To delete the public and private keys in the primary location, run the following command: rm f /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub. 3. To delete the public and private keys in the Cisco Systems, Inc. All Rights Reserved.

19 Defect Number Description Workaround customers running hardware appliances and in fully controlled Virtual Machine infrastructures, the risk of exposure is mitigated by access to the physical and virtual systems. For customers running in a co-located VM infrastructure, the risk of exposure is greater. backup location, run the following command: rm f /lancope/var/admin/ssh/ssh_ host_rsa_key /lancope/var/admin/ssh/ssh_host_rsa_ key.pub 4. To regenerate a new RSA host key pair, run the following command: /lancope/admin/bin/generatesshkeys 5. Do one of the following to restart the SSHD service: o If the appliance software version is 6.9 and later, run the following command: systemctl restart ssh.service o If the appliance version is earlier than 6.9, run the following command: /etc/init.d/ssh restart 6. Repeat these steps on every appliance in the Stealthwatch System. If you have installed custom certificates using RSA or RSA-2048 bit keys on your Stealthwatch appliances, you must regenerate new X509 certificates. 1. Log in to the Stealthwatch Appliance Admin. 2. Click Configuration > SSL Certificate. 3. Click the? icon to open the Help page. o o Use the SSL Certificate instructions to generate a new X509 certificate. If the certificate is X509 certificate is RSA, create it with a size of 4096 bits. 4. Delete the old (vulnerable) X509 certificate from the appliance. 5. Click Configuration> Certificate Authority Certificates. Review the installed certificates. If there are custom certificates installed using RSA-1024 or RSA-2048 bit keys, regenerate new certificates. o o Click the? icon to open the Help page. Use the Certificate Authority Certificates instructions to add a new X Cisco Systems, Inc. All Rights Reserved. 19

20 Defect Number Description Workaround o certificate. If the certificate is X509 certificate is RSA, create it with a size of 4096 bits. SWD-7627 SWD-7655 SWD-8197 SWD-8673 If you reboot your Flow Collector, it deletes all alarm history; however, if you replace your Flow Collector, the new Flow Collector retains the alarm history from the old Flow Collector instead of deleting it. Since the alarming host widgets (which display the number of hosts receiving alarms since the last reset hour for a specific category) on the Security Insight Dashboard and Host Group page then do not update until the next reset hour, you may see a discrepancy between these values and the alarm values in the Hosts table on the Host List View. The generation of a diagnostics pack may fail in large systems as a result of timing out. The Flow Sensor was not detecting enough applications. SystemConfig special character fonts look bad when using the SecureCRT client in ANSI mode. None currently available; the feature will be available in a future release. To overcome this, open the SSH console for the appliance and run this command: dodiagpack. This will allow the generation of the diagnostic pack without timing out. The diagnostic pack can be downloaded using Browse File in the /admin/diagnostics folder, and it can be copied off the box using SCP. To provide more accurate application classification, we updated the third-party library for Application Identification. Due to this update, some traffic will no longer be classified as it was in prior versions and support has been removed for a variety of applications. Updates to the applications supported are dependent on future releases from the third-party library. To overcome this, disable ANSI Color when connecting or use a different client to view the SystemConfig script. SWD-9052 Offline license activation failing This error may occur if you moved a virtual machine, Cisco Systems, Inc. All Rights Reserved.

21 Defect Number Description Workaround SWD-9300 SWD-9542 SWD-9563 or "Storage Binding Break" error. The Selected Cipher Suite does not appear in the Flow Search Results when using a non-standard port. After configuring Active Directory in the SMC, User Info is empty. The user details are included in the flows but User Info does not show the information due to inconsistencies when querying ISE certificate attributes. When you log in to the Stealthwatch Web App using Internet Explorer v11 and at any point you refresh the Home page, the Desktop Client dropdown arrow and the three navigation icons to the left of this list (top right corner of page) disappear. These three icons include the following: Search (magnifying glass icon) Help (person icon) Global Settings (geer icon) Additionally, the fonts look different from how they appear when displayed using other browsers. uploaded a license more than once, or if the license is corrupted. Please contact Stealthwatch Customer Community for assistance. None currently available; this will be fixed in a future release. The User Info is available if ISE returns Active Directory UPN (User Principal Name) as "username" in the session. To configure ISE to return UPN, go to ISE Administration > External Identity Sources > Certificate Authentication Profile settings. Close the browser and log in again. SWD After a license is activated in the Desktop Client License Manager, the Status column does not update from "Trial" to "Installed" until after the appliance is Reboot the appliance and log in to the Desktop Client License Manager again. The Status will update after the system is rebooted Cisco Systems, Inc. All Rights Reserved. 21

22 Defect Number Description Workaround rebooted. SWD SWD SWD NA The Security Event Queries API is providing results from a larger time span than set in the timerange filter. Users are unable to upgrade their system using the upmanrepo.swu file. Users unable to install an appliance on a KVM host if they change the CPU Type. On the Flow Sensor VE, Export Application Identification is off by default. None currently available; this will be fixed in a future release. Use the individual appliance swu files to update your system. This will be fixed in a future release. Use the default CPU Type when you deploy an appliance on a KVM host. To enable application identification, this advanced setting will need to be manually selected. Contacting Support If you need technical support, please do one of the following: Contact your local Cisco Partner Contact Cisco Stealthwatch Support o To open a case by web: o To open a case by tac@cisco.com o For phone support: (U.S.) o For worldwide support numbers: worldwide_contacts.html Cisco Systems, Inc. All Rights Reserved.

23 2019 Cisco Systems, Inc. All Rights Reserved. SW_6_10_3_Release_Notes_DV_1_3