Virsec Security Platform (VSP) leverages Virsec Map to protect high-value enterprise applications deployed in data centers or on public and hybrid clouds, from highly sophisticated attacks including memory corruption, code injection, credential theft, supply chain and others. VSP effectively creates and enforces guardrails around the application as it executes. These guardrails ensure that applications only perform as intended and restrain bad actors from corrupting memory as a precursor to hijacking control of the application and subsequent stealing or destroying high-value enterprise data.

 

 

DATE OF RELEASEDATE OF RELEASE

 

4/7/2023

COMPATIBILITY MATRIXCOMPATIBILITY MATRIX

 

Refer to the topic Compatibility Guide  for information related to the Supported platforms and languages.

 

NEW FEATURESNEW FEATURES

  1. CMS Enhancements:

    1. CMS UI has improvements in the left pane for better grouping of features and ease of navigation

    2. CMS now enables easy deployment of Probes on VM with commands for download and installation. Click here for more information

    3. Enhancements are incorporated in incident management for better processing

    4. New APIs are available to obtain incident related information

    5. The licenses maintain persistence during VM restarts on on-prem license servers. Click here for more information

    6. Incident Type information is provided in the VSP Reports

    7. Probes page now displays the Probe First Installed and Probe Last Installed fields. Click here for more information

    8. During Application creation, Web Profile is now an optional field. The field “Application Type” is no longer applicable for Java

  2. Platform Enhancements:

    1. New MSI-based installation option is available for Windows-based probe installation. Click here for more information

    2. Signed scripts are available for Linux-based probe installation. Click here for more information

    3. Password is required to uninstall or upgrade Probe on Windows and Linux

  3. VSP Web Enhancements:

    1. Application Discovery is a new component of the installed VSP probe. It scans the Application Instances after installation and at regular intervals (Default duration - weekly) to discover the web applications hosted on them. Once the web applications are discovered, appropriate Applications are created on CMS with the discovered information. Click here for more information

  4. VSP Host Enhancements:

    1. An active Maintenance Mode can be stopped at the host level. In earlier releases, “STOP” was applicable for all the hosts in the profile. Click here for more information

    2. Ability to automatically allow new publishers/packages discovered during runtime. This is a configurable option in the host profile and is enabled by default for newly created ones

    3. Files marked as SAFE by reversing labs also have the trust factor. VSP now trusts only the files having trust factor values 0,1 and 2. Files with trust factor 3 and above are not considered as known by VSP for higher levels of efficacy. Click here for more information

    4. Incidents related to executable allowlisting and App Control Policies can now be cached locally on the probe when CMS is not reachable. Further, these incidents are sent when CMS is reachable

  5. VSP Application Control Policy Enhancements:

    1. ACP related incidents are reported as a separate category “App Control Violation” with relevant information. Click here for more information on the various event types

    2. In Pristine host mode, the scripts discovered as a part of App Control Policy scan are added to the local allowlist and not sent to CMS

    3. ACP rules are now applied based on the hash values of the application in scope, even though only application name is defined in ACP rule. This allows VSP to stop application masquerading attack

    4. Ability to detect incidents based on the redirection parts of the command is added

  6. VSP Memory Exploit Protection Enhancements:

    1. MEP is now supported on a wide range of kernel versions for the supported Linux Operating systems. While Virsec automatically adds support for the newly available kernel versions on a regular basis, if any kernel version is unsupported, the user is notified through CMS. Click here for more information about how you can identify unsupported kernel versions and update LFR to get support for the latest Linux Kernels

    2. MEP now provides protection against Linux based exploit - ptrace Sudo Token Privilege Escalation

    3. Regular Expressions based exclusions are now supported. Click here for more information

FIXESFIXES

 

Defect ID

Description

SUPP-51

Maintenance Mode does not auto-whitelist scripts executed during this window

SUPP-58

ADVERTISED_LISTENER is missing from vsp-kafka

SUPP-308

ACP does not block the command line in protect mode during certain attempts

SUPP-393

Critical Vulnerabilities found in images after CI Phase

SUPP-427

ACP does not alert/block some Command lines

SUPP-446

RBAC displays errors for certain tabs

SUPP-465

The field "Updated By" for all system alerts related to Maintenance mode displays the value "SYSTEM"

SUPP-483

Unable to upload the file Caprequest.bin on Flexnet using Activation ID

SUPP-487

RDP failed for windows servers when the profile (in detect mode) and MEP are enabled

SUPP-508

.NET Application does not move to normal status

SUPP-557

SIEM Qradar Syslog format issue causes incident

SUPP-571

Website login fails after VSP instrumentation for .NET application

SUPP-572

Remove hardcoded credentials and IP addresses in 2.5.0 LFR Helm chart

SUPP-573

K8s SA is not created when the Helm value - serviceAccount.create is set to true

SUPP-576

Unknown error encountered while managing 2.5.0 Allowlists

SUPP-577

Wiki (tomcat) application does not work in protect mode

SUPP-584

Expired digital certificate process is reported as a threat in the allowlist but process execution behavior is different in the Protect Mode

SUPP-611

Windows Strict ACP does not cover regedit.exe

SUPP-622

RBAC issue is detected in host incident management on CMS

SUPP-636

Linux Probe script directory has unmaintained files

SUPP-646

CD tool modifies the container name in addition to the image name

SUPP-651

On Windows 2003, the file vm-install.bat has a function mislabeled

SUPP-672

Some .NET Applications hang due to the loading order of the libraries when MEP is injected

V2-22513

MS Exchange Server does not report incidents for attacks against the OWA application

V2-22298

LDAP User Group base DN displays validation error

Table – VSP 2.7.0 Fixes 

KNOWN ISSUES AND CAVEATSKNOWN ISSUES AND CAVEATS

 

Category

Description

Known Issue/ Caveat

Installation

CI phase fails on Ubuntu 20 container

CI phase fails on Ubuntu 20 container if the docker version 19.03.0 - 19.03.8 is installed on the Management node used for installation. This is due to a known issue in these docker versions

Recommended Workaround: Install docker version: 19.03.9 on the Management Node

Known Issue

FSM (File System Monitoring)

File Rename incident is detected with "fileName" and "filePath" as "NON_MONITORED_PATH"

For a File rename incident, "fileName" and "filePath" attributes are reported as "NON_MONITORED_PATH" after deletion of the file contents

Known Issue

Duplicate incidents and events are generated after file modification

Duplicate incidents and events are generated after modification of an existing or new file with event types NEW_FILE, FILE_MODIFIED and FILE_RENAMED

Known Issue

(Windows 2008) Two incidents are generated for file rename action

For a file rename action, two Incidents FILE_RENAME and FILE_MODIFIED are reported in Windows 2008

Known Issue

Incidents are reported for excluded folders

When multiple Applications are associated with the same ASI and a few folders are excluded in one of them and not the others, incidents are reported for the excluded folders

Recommended Action: Ensure that the folders are excluded in all the associated Applications on CMS

Known Issue

VSP-Memory

Post BE attack, process may not restart for VM

Post BE attack, if an application is configured in the inline protect restart mode, it may not get restarted successfully.

Recommended Workaround: sudo must be present on the machine and must not require a password to execute when launched as root user

Known Issue

Apache 2.4 (httpd) is not instrumented when it is started as a service (Win 2016)

 

httpd service is not instrumented when it is started as a service. The process terminates.

Recommended Workaround: Do not start httpd as a service. Execute it from the console

Known Issue

(Windows) VSP-Memory fails to automatically re-instrument an Application sometimes

In Windows, when using auto-instrumentation for a service, VSP-Memory sometimes fails to re-instrument the application automatically, if the service is restarted via the Services window. This is because VSP-Memory-Assist does not process the application stop/start quickly enough

Recommended Workaround: In such cases, stop the service, wait up to 5 seconds before starting the service

 
Known Issue

Host Monitoring

All entries in the Global exclusion list are considered regular expression patterns

All entries in the Global exclusion list are considered regular expression patterns even if there are absolute paths present

Known Issue

VSP-CLI logs error in Mixed Mode

In Mixed Mode, VSP-CLI logs error: “ERROR: ld.so: object 'libvsp-hmm-agent.so' from /etc/ld.so.preload cannot be preloaded: ignored.”
It has no adverse effect on the VSP-CLI functionality.

Caveat

Some publishers did not get detected/Allowlisted during initial scan

Upon launch, Google Chrome browser, some libraries (signed by publisher 'ESET, spol. s r.o.') are loaded. The publisher is not listed in the publishers list in the initial scan. When the process is launched, this publisher gets allowlisted automatically (if auto-allowlist is enabled)

Expected Behavior

VSP does not report modified processes or libraries that belong to a package in systems that use prelink

VSP does not report modified processes or libraries that belong to a package in systems that use prelink. The prelink application inherently changes the binary checksum, so there is no true reference for VSP to use.

Expected Behavior

In Windows, when an application is started with or without the “.exe”, different detections by VSP may be possible

ACPs are specific to the command lines used when starting an application. In Windows, when an application is started with or without the ".exe", different detections by VSP may be possible

Known Issue

App Control Policies do not support any unicode character in any field

App Control Policies do not support any unicode character in any field

Limitation

Linux HMM agent limitation

In Linux, VSP host monitoring injects its own HMM agent into every running process. The HMM agent expects a specific version of glibc. If the application loads its own custom glibc version that is not compatible with the HMM agent, the HMM agent may not load correctly causing some application issues

Limitation

Exclusion on Child Type ACP rule does not work

Even when a child process added under exclusion in ACP, Child Exclusion is reported as incident

Known Issue

Publisher/Package list is not included when the host profile is exported

Publisher/Package list is not included when the host profile is exported. As a result, when the host profile is imported into CMS, the publisher/packages list may be missing and may generate incidents.

Limitation

Fully statically-linked executables are not detected during the start up by HMM

Fully statically-linked executables are not detected during the start up by HMM. However, whenever the allowlist is published or there is a VSP host mode change, VSP host detects and checks the actively running statically-linked executables

Known Issue

For a small subset of applications started via the "service" command in Linux, VSP host does not detect the application start

In some cases, for a small subset of applications started via the "service" command in Linux, VSP host does not detect the application start, resulting in a potential false negative. However, each time the allowlist is published or the VSP host mode is changed, VSP host scans the system, that detects the running application if it is still running

Known Issue

"Access denied" message is not displayed when a process is blocked

"Access denied" message is not displayed when a process is blocked on Windows 2003 OS (32bit and 64 bit)

Known Issue

Out of box protection actions are not available for Windows 2003 servers

Out of box protection actions are not available for Windows 2003 servers

Known Issue

Execution of native image DLLs by Windows CLR runtime is not covered

Execution of native image DLLs by Windows CLR runtime is not covered under Virsec Process and Library Monitoring capabilities

Known Issue

"Stop Maintenance Mode" functionality is not working as expected

Incidents are reported after stopping the maintenance mode for Python.exe that was installed during maintenance

Known Issue

Windows 2003: Unverified Process with long directory or process name is not blocked

Unverified Process with long directory or process name is not blocked on Windows 2003 servers (32 and 64 bit)

Known Issue

Host Monitoring features do not work on encrypted files

Host Monitoring features do not work on encrypted files that cannot be decrypted by the SYSTEM user

Limitation

For ACPs configured for interpreter shells like cmd.exe or powershell.exe, HMM does not evaluate commands executed directly in them

For ACPs configured for interpreter shells like cmd.exe or powershell.exe, HMM does not evaluate commands executed directly in them against the commandline ACP rules.

Example: If an ACP is created for "cmd.exe" with a commandline deny rule for "echo":

  1. Execution of the command "cmd.exe /c echo hello" is reported to CMS as an incident

  2. Opening cmd.exe and execution of the command "echo hello" inside the interpreter does not result in incident detection

Known Issue

After upgrade to VSP 2.7, the scripts in the allowlist remain in the library section

After upgrade to VSP 2.7, the scripts in the allowlist remain in the library section. They are not listed in the scripts section

Known Issue

Scan Error persists even after recovering probes from HMM crash

When Probes are in maintenance mode for a certain period of time and stopped, a scan is initiated. If the VSP-Manager is stopped/restarted during the scan, an error is displayed on CMS. This persists even after VSP-Manager restarts

Known Issue

On Windows 2003, new publishers are not added to the publisher list

On Windows 2003 32-bit hosts, new publishers are not added to the publisher list if the certificate has Sha384 as the Digest Algorithm

Limitation

Reporting

On premise Kubernetes - based deployment:Generated Reports cannot be viewed

In an on-premise Kubernetes - based multi-pod deployment, generated reports cannot be viewed. Error 404 is displayed. This occurs when the components JReports and Ngnix Client service are deployed on different worker nodes

Known Issue

Reports are not generated when the Report name contains a special character Reports are not generated when the Report name contains a special character except "-" and "_" Known Issue
The error, "Unable to connect to the Report Server" is displayed in CMS while scheduling a report

The error may be due to the occurrence of SQL connectivity error in the JReports Server.

Recommended Workaround: If the error SQLNonTransientConnectionException is found, restart the JReports server

Known Issue

VSP-Web (on Web Server)

Compressed Responses are not supported

VSP-Web (on Web Server) does not support compressed Responses.Example: gzip

Limitation

Web Protection (On Web Server)-Apache – pop-up is not displayed

Web Protection (On Web Server)-Apache: Permission denied popup is not displayed. The request is blocked as expected with no impact to functionality

Known Issue

VSP-Web

Long polling or WebSocket based requests are not supported

Long polling or WebSocket based requests are currently not supported by VSP Web

Limitation

Asynchronous servlet model is not supported

Applications leveraging Async-API are not supported

Limitation

Permission denied message is displayed along with the Application message

For some inline protection cases, along with the Permission Denied pop-up message, the application response is also displayed

Known Issue

VSP 2.5.0 or higher: VSP-Web for Ruby is not backward compatible

VSP-Web for Ruby on Rails is not backward compatible for 2.4.x and lower

Impact: It impacts VSP-Web for Ruby, where CMS is upgraded to VSP 2.5 or higher and Probe is still of a previous version

Recommended Workaround: Ensure that VSP Probe is also upgraded to version 2.5 or higher

Limitation

RFI profile exclusion list is not considered for perimeter level RFI attack

RFI profile exclusion list is not considered for perimeter level RFI attack

Recommended Workaround: Add the relevant exception to circumvent the issue

Known Issue

.Net Core: VSP deletes comments from the file web.config

.Net Core: While provisioning application, VSP deletes comments from the file web.config of the application

Known Issue

Invalid CSRF token is reported to CMS when two j-session IDs are present

Invalid CSRF token is reported to CMS when two j-session IDs are sent in the request. VSP supports monolithic applications only. This occurs with multiple session providers only

Known Issue

VSP Memory Exploit Protection

MEP does not detect a variant of PowerShell Exploit

MEP does not detect a variant of PowerShell Exploit if both the source and target processes are the same

Limitation

Multiple incidents are reported for powershell

Multiple incidents are reported for powershell since Windows attempts to spawn a new powershell with a shortened path and VSP blocks all these attempts

Expected Behavior

Some Exploits are reported as Process Hollowing due to shared API

Exploits such as Credential API Hooking, TLS Callback Injection and Thread Execution Hijack can be reported as Process Hollowing due to the sharing of API calls with Process Hollowing in Windows 2016 and Windows 2019 machines

Known Issue

Two events are detected as part of the OS Credential Dumping attack

Utility tools like ProcDump used to collect memory dump of a process, clones the target process before creating the dump file when used with the recursive flag (-r). In such cases, two events are generated, one for the original process and the other for the cloned process. Both the events are detected as part of the OS Credential Dumping attack coverage

Known Issue

General

VSP-CLI command gives error while executing stop/restart VSP-Manager service

When VSP-CLI command is used to stop/restart VSP-Manager service (individually or all the services), there is an error “Exception occurred during the initialization of the VSP Kafka consumer”

Recommended Workaround: Close the current session and stop/restart the VSP-Manager service in a new session

Known Issue

For VSP CMS on an AWS environment ensure that only the External Email server is configured

For VSP CMS on an AWS environment ensure that only the External Email server is configured

Limitation

Email Subscription for application-based incidents

If any application-based incident is configured for Email Subscription, ensure that the Host is NOT selected

Known Issue

VSP is not supported for workloads running SELinux in Enforcing mode

VSP is not supported for workloads running SELinux in Enforcing mode

Limitation

CMS dashboard is not displayed for LDAP user with modified email ID It is highly recommended to use email as the unique login attribute in the LDAP configuration. If CN is configured and the email ID is modified, CMS does not load the dashboard for that user Known Issue
Emails configured with spaces in LDAP are not supported Emails configured with spaces in LDAP are not supported. In such cases, a “valid object class error” is encountered on CMS LDAP configuration page for the section LDAP User Binding Known Issue
Licenses need to be reloaded after an On-premise license server restart (Applicable for Kubernetes-based deployments only)
Licenses loaded on the on-premise license server do not persist. Hence once the on prem license server is restarted with CMS restart they need to be reloaded/activated again using the activation id already shared
Known Issue

User may be unable to delete instances

User may be unable to delete instances in a larger environment with more than 20 thousand open incidents

Known Issue

Protection Engine: In Windows if the log path contains spaces, log rotation does not work

When the protection engine is configured with protection actions associated with log path contains spaces, log rotation does not work in Windows

Recommended Workaround: Ensure that the configured log path does not contain spaces

Limitation

Application and host profiles do not auto- associate if the tag names contain spaces

Application and host profiles do not auto- associate if the application and host tag names contain spaces

Recommended Workaround: Ensure that no spaces are present in the tags

Limitation

Splunk connection using proxy with RootCA configuration is not supported

Splunk connection using proxy with RootCA certificate configuration is not supported by CMS

Limitation

Windows 2008: Probe uninstallation using -U sometimes displays error

Probe uninstallation using the option -U, with password configured displays error

Recommended Workaround: Execute the uninstallation command again for uninstalling the Probe

Known Issue

Table – Known Issues and Caveats

 

AVAILABLE PATCHESAVAILABLE PATCHES

 

Click here for VSP Patch 2.7.1 information