Network Security Platform 8.1

8.1.7.82-8.1.3.100 Manager-M-series Release Notes Network Security Platform 8.1 Revision B Contents About this release New features Enhancements Resolved issues Installation instructions Known issues Product documentation About this release This document contains important information about the current release. We strongly recommend that you read the entire document. This maintenance release of Network Security Platform is to provide few fixes on the Manager and M-series Sensor software. Release parameters Version Network Security Manager software version 8.1.7.82 Signature Set 8.7.55.3 M-series Sensor software version 8.1.3.100 This version of 8.1 Manager software can be used to configure and manage the following hardware: Hardware Version NS9x00-series Sensors (NS9100, NS9200, NS9300) 7.1, 8.1 NS7x00-series Sensors (NS7100, NS7200, NS7300) 8.1 NS5x00-series Sensors (NS5100, NS5200) 8.1 1

Hardware NS3x00-series Sensors (NS3100, NS3200) 8.1 Virtual IPS Sensors (IPS-VM100 and IPS-VM600) 8.1 Virtual Security System Sensors (IPS-VM100-VSS) 8.1 M series Sensors (M-1250, M-1450, M-2750, M-2850, M-2950, M-3050, M-4050, M-6050, M-8000) Version 7.1, 8.1 Mxx30-series Senors (M-3030, M-4030, M-6030, M-8030) 7.1, 8.1 XC Cluster Appliances (XC-240) 7.1, 8.1 XC Cluster Appliances (XC-640) 8.1 NTBA Appliance software (T-200, T-500, T-600, T-1200, T-VM, T-100VM, T-200VM) 7.1, 8.1 The above mentioned Network Security Platform software version support integration with the following product versions: Table 1-1 Network Security Platform compatibility matrix Product Version supported McAfee epo 5.0, 5.1, 5.3 McAfee Global Threat Intelligence Compatible with all versions McAfee Advanced Threat Defense 3.4.8.96, 3.4.10.27, 3.6.0.12 McAfee Endpoint Intelligence Agent 2.4, 2.5 McAfee Logon Collector 2.2, 3.0 McAfee Threat Intelligence Exchange 1.0.0, 1.0.1, 1.1.1, 1.2 McAfee Vulnerability Manager 7.5 McAfee Host Intrusion Prevention 7.0, 8.0 Currently port 4167 is used as the UDP source port number for the SNMP command channel communication between Manager and Sensors. This is to prevent opening up all UDP ports for inbound connectivity from SNMP ports on the sensor. Older JRE versions allowed the Manager to bind to the same source port 4167 for both IPv4 and IPv6 communication. But with the latest JRE version 1.7.0_45, it is no longer possible to do so, and the Manager uses port 4166 as the UDP source port to bind for IPv6. Manager 8.1 uses JRE version 1.7.0_51. If you have IPv6 Sensors behind a firewall, you need to update your firewall rules accordingly such that port 4166 is open for the SNMP command channel to function between those IPv6 Sensors and the Manager. Network Security Platform version 8.1 replaces 8.0 release. If you are using version 8.0 and require any fixes, note that the fixes will be provided in version 8.1. There will not be any new maintenance releases or hot-fix releases on version 8.0. With release 8.1, Network Security Platform no longer supports the Network Access Control module and N-series Sensors. If you are using Network Access Control with N-series (NAC-only) Sensors, McAfee recommends that you continue to use the 7.1.3.6 version. If you are using the Network Access Control module in M-series Sensors, continue to use the 7.5.3.30 version. That is, you should not upgrade the Manager or the Sensors to 8.1 for such cases. Manager software version 7.5 and above are not supported on McAfee-built Dell based Manager Appliances. 2

New features This release is to provide fixes for some of the previously known issues, and does not include any new features. Enhancements This release of Network Security Platform includes the following enhancements: Integration with McAfee Vulnerability Manager enhancements While integrating the Vulnerability Manager with Network Security Manager, in the Database configuration page of Running MVM Scans and Enhancing Alert Relevance, the Password field is cleared after you click Save. This feature has been incorporated as an additional security measure. If you wish to check the server connection for Vulnerability Manager, enter the Password again and then click Test Connection. Manager Infrastructure enhancements In this release, the version of MySQL bundled with the Manager is 5.6.30. Resolved issues These issues are resolved in this release of the product. For a list of issues fixed in earlier releases, see the Release Notes for the specific release. Resolved Manager software issues The following table lists the medium-severity Manager software issues: ID # Issue Description 1124198 The Manager is vulnerable to Tomcat vulnerabilitites prior 7.0.68. 1124098 Automatically generated reports with Japanese characters have unreadable characters in the file name of the report and the title of the report. 1120216 The contact information cannot be saved in the Manager. 1115822 The All Tables backup is not completely exported. 1115135 The snort rule generates alerts for IP addresses that are not specified in the rule. 1114831 With heavy traffic and firewall rules configured, there is high CPU usage in an MDR pair. 1113738 Simulated blocking is disabled unexpectedly. 1107183 When performing Archive Now action under Manage Maintenance Alerts Archiving IPS Archive Now, the browser prompts to resubmit the form. 1102423 The Manager displays MySQL version as 5.6.24. 1101842 After disabling the Inherit Settings option in the Protection Profile page, the option remains enabled after a policy push. 1098743 When a non-standard port is configured to parse http protocol in the Non-Standard Ports page, the port setting displays incorrect port values. 1097337 The customized new UDS with an AttackID added overwrites an existing AttackID. 1093495 Due to malware policy name exceeding the 40 character limit, any changes made to the malware policy cannot be saved. 3

ID # Issue Description 1089165 While updating a firewall policy, the exception error Unable to Update Firewall Policy. Java.lang.NullPointerException is displayed when you select a rule object in the Firewall Policies page. 1060003 The user defined report generated in the Manager with the criteria as does not equal attack blocked displays the report for equals attack blocked. 1059780 The Manager service often causes high CPU usage of 99%. Resolved Sensor software issues The following table lists the medium-severity Sensor software issues: ID # Issue Description 1122077 The Sensor is vulnerable to CVE-2015-3197 ssl/s2_srvr.c in OpenSSL 1.0.1 versions prior to 1.0.1r and OpenSSL 1.0.2 versions prior to 1.0.2f does not prevent use of disabled ciphers, making it simpler for man-in-the-middle attackers to overcome cryptographic protection mechanisms by performing computations on SSLv2 traffic. 1112210 The debug messages are showing up as emergency messages in the Sensor log for Snort rule import. 1110229 The Sensor is vulnerable against OpenSSH vulnerability CVE-2015-5600 (increased brute force attacks which causes denial-of-service by bypassing MaxAuthTries). 1108700 Due to exhaustion of internal resources related to certain system events, the packet capture files cannot be uploaded from the Sensor to the Manager. 1107956 The Sensor is vulnerable against tcp-sack option which does not trigger an alert CVE-2004-0375. 1104386 After successful datapath auto recovery, the Sensor goes into an asynchronous state. 1104385 The Sensor stops sending packet logs to the Manager when Layer 7 data collection is enabled. 1102919 The Sensor is vulnerable against CVE-2015-7613; race condition in the IPC object implementation in the Linux kernel through 4.2.3 allows local users to gain privileges by triggering an ipc_addid call that leads to uid and gid comparisons against uninitialized data, related to msg.c, shm.c, and util.c. Since existing Sensor deployments use a Linux kernel without this fix, the vulnerability theoretically applies with an extremely low exploit likelihood. The vulnerability is not available through a remote, network vector without authentication. In order to exploit the vulnerability locally, an attacker must first surmount to levels of authentication. Then, a specially crafted application specific to this vulnerability must be scheduled. Sensor applications must then be restarted. The application may only be used to exploit the vulnerability at the time of Sensor initialization. 1098272 In a corner case scenario, a crash in the internal process causes the Sensor to switch to into layer 2 mode. 1097189 When syslog forwarder is configured for IPS events, these events will be sent to the syslog server configured for ACL events. 1056662 When configured to block, the Sensor detects the attack only for the first packet when it sees multiple duplicated UDP packet in a quick succession and misses the attack detection for the UDP subsequent packets. 987219 Offline signature set update fails in the Sensor. The following table lists the low-severity Sensor software issues: 4

ID # Issue Description 882329 In a rare scenario, when a non-encrypted flow is received on port 443, the Sensor may fail to raise an alert for that particular flow. Installation instructions Manager server/client system requirements The following table lists the 8.1 Manager server requirements: Operating system Minimum required Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition, English operating system, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition, Japanese operating system, SP1 (64-bit) (Full Installation) Windows Server 2012 Standard Edition (Server with a GUI) English operating system Windows Server 2012 Standard Edition (Server with a GUI) Japanese operating system Windows Server 2012 R2 Standard Edition (Server with a GUI) English operating system Windows Server 2012 R2 Standard Edition (Server with a GUI) Japanese operating system Windows Server 2012 R2 Datacenter Edition (Server with a GUI) English operating system Windows Server 2012 R2 Datacenter Edition (Server with a GUI) Japanese operating system Only x64 architecture is supported. Recommended Same as the minimum required. Memory 8 GB 8 GB or more CPU Server model processor such as Intel Xeon Same Disk space 100 GB 300 GB or more Network 100 Mbps card 1000 Mbps card Monitor 32-bit color, 1440 x 900 display setting 1440 x 900 (or above) The following are the system requirements for hosting Central Manager/Manager server on a VMware platform. 5

Table 5-1 Virtual machine requirements Component Minimum Recommended Operating system Any of the following: Windows Server 2008 R2 Standard or Enterprise Edition, English operating system, SP1 (64-bit) (Full Installation) Windows Server 2008 R2 Standard or Enterprise Edition, Japanese operating system, SP1 (64-bit) (Full Installation) Windows Server 2012 Standard Edition (Server with a GUI) English operating system Windows Server 2012 Standard Edition (Server with a GUI) Japanese operating system Windows Server 2012 R2 Standard Edition (Server with a GUI) English operating system Windows Server 2012 R2 Standard Edition (Server with a GUI) Japanese operating system Windows Server 2012 R2 Datacenter Edition (Server with a GUI) English operating system Windows Server 2012 R2 Datacenter (Server with a GUI) Japanese operating system Only X64 architecture is supported. Same as minimum required. Memory 8 GB 8 GB or more Virtual CPUs 2 2 or more Disk Space 100 GB 300 GB or more Table 5-2 VMware ESX server requirements Component Minimum Virtualization software ESXi 5.0 ESXi 5.1 ESXi 5.5 Update 3 ESXi 6.0 Update 1 CPU Memory Internal Disks Intel Xeon CPU ES 5335 @ 2.00 GHz; Physical Processors 2; Logical Processors 8; Processor Speed 2.00 GHz Physical Memory: 16 GB 1 TB 6

The following table lists the 8.1 Manager client requirements when using Windows 7, Windows 8, or Windows 10: Operating system Minimum Windows 7 English or Japanese Windows 8 English or Japanese Windows 8.1 English or Japanese Windows 10 English or Japanese The display language of the Manager client must be same as that of the Manager server operating system. Recommended RAM 2 GB 4 GB CPU 1.5 GHz processor 1.5 GHz or faster Browser Internet Explorer 9, 10 or 11 Mozilla Firefox Google Chrome in not supported since the NPAPI plug-in is disabled by default and will not be supported by Google going forward. This means that Java applet support is also disabled by default. Internet Explorer 11 Mozilla Firefox 41.0.2 or above For the Manager client, in addition to Windows 7 and Windows 8, you can also use the operating systems mentioned for the Manager server. The following table lists the 8.1 Central Manager / Manager client requirements when using Mac: Mac operating system Lion Mountain Lion Browser Safari 6 or 7 For more information, see McAfee Network Security Platform Installation Guide. Upgrade recommendations McAfee regularly releases updated versions of the signature set. Note that automatic signature set upgrade does not happen. You need to manually import the latest signature set and apply it to your Sensors. The following is the upgrade matrix supported for this release: Component Manager/Central Manager software Minimum Software Version 7.1 7.1.5.14, 7.1.5.15 8.1 8.1.7.33, 8.1.7.52 (only for NS5x00), 8.1.7.73 (only for XC-640 and NS3x00) M-series Sensor software 7.1 7.1.3.106, 7.1.3.119 8.1 8.1.3.43, 8.1.3.89 7

Known issues For a list of known issues in this product release, see this McAfee KnowledgeBase article: Manager software issues: KB81373 M-series Sensor software issues: KB81374 Product documentation Every McAfee product has a comprehensive set of documentation. Find product documentation 1 Go to the McAfee ServicePortal at http://mysupport.mcafee.com and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. 8.1 product documentation list The following software guides are available for Network Security Platform 8.1 release: Quick Tour Installation Guide Upgrade Guide Manager Administration Guide Manager API Reference Guide (selective distribution - to be requested via support) CLI Guide IPS Administration Guide Custom Attacks Definition Guide XC Cluster Administration Guide Integration Guide NTBA Administration Guide Best Practices Guide Troubleshooting Guide 8

2016 Intel Corporation Intel and the Intel logo are trademarks/registered trademarks of Intel Corporation. McAfee and the McAfee logo are trademarks/ registered trademarks of McAfee, Inc. Other names and brands may be claimed as the property of others. 00