ServerProtect For Linux

This article lists all of the products integrated in Apex Central.

There is a problem with Server Protect for Linux agents not starting after installation. This is caused by the Linux security module Security-Enhanced Linux (SELinux).When SELinux is running at the same time, ServerProtect may not function properly. The "execve" hook in the ServerProtect service conflicts with the SELinux service on Red Hat Enterprise Linux (RHEL) 9 x86_64 platforms.To support "execve" hook on x86_64 kernels after 2.6.32, ServerProtect for Linux uses the Linux Security Module (LSM) to perform the "execve" hook. A conflict may occur under this situation because the kernel only allows one LSM module to register at a time.

Date of Initial Notification:  April 28, 2022Within the next 12 months (approximately one year), Trend Micro will be transitioning certain key certificates in various products due to vendor retirement and other technical backend issues. Due to some of the complexity of the changes - the application of a patch or hotfix on the customer side will be required to ensure completely seamless operation moving forward.=====The potential impact is that customers who do not update or patch before March 31, 2023, may experience issues receiving updates in the product after this time.=====The products and versions affected by this issue are listed below, as well as the minimum patch or build level required to ensure update continuity; but please note, Trend Micro always recommends that customers apply the latest update available which may resolve other critical issues such as vulnerabilities and compatibility issues.

The SPLX web console cannot be accessed, and log shows permission issues.[Tue Sep 27 13:09:31.165352 2022] [core:error] [pid 1803076] (13)Permission denied: [client 10.60.3.184:1058] AH00035: access to / denied (filesystem path '/opt/TrendMicro/SProtectLinux') because search permissions are missing on a component of the path[Tue Sep 27 13:09:31.165408 2022] [core:error] [pid 1803076] (13)Permission denied: [client 10.60.3.184:1058] AH00035: access to /loginpage_splx.htm denied (filesystem path '/opt/TrendMicro/SProtectLinux') because search permissions are missing on a component of the path[Tue Sep 27 13:09:31.239046 2022] [core:error] [pid 1803076] (13)Permission denied: [client 10.60.3.184:1058] AH00035: access to /favicon.ico denied (filesystem path '/opt/TrendMicro/SProtectLinux') because search permissions are missing on a component of the path, referer: https://10.2.34.119:14943/[Tue Sep 27 13:09:31.239092 2022] [core:error] [pid 1803076] (13)Permission denied: [client 10.60.3.184:1058] AH00035: access to /loginpage_splx.htm denied (filesystem path '/opt/TrendMicro/SProtectLinux') because search permissions are missing on a component of the path, referer: https://10.2.34.119:14943/[Tue Sep 27 13:09:34.179423 2022] [core:error] [pid 1803076] (13)Permission denied: [client 10.60.3.184:1058] AH00035: access to / denied (filesystem path '/opt/TrendMicro/SProtectLinux') because search permissions are missing on a component of the path[Tue Sep 27 13:09:34.179474 2022] [core:error] [pid 1803076] (13)Permission denied: [client 10.60.3.184:1058] AH00035: access to /loginpage_splx.htm denied (filesystem path '/opt/TrendMicro/SProtectLinux') because search permissions are missing on a component of the path[Tue Sep 27 13:09:34.180263 2022] [ssl:info] [pid 1803569] [client 10.60.3.184:1059] AH01964: Connection to child 6 established (server localhost.localdomain:443)This issue can happen if the permission for the Trend Micro folder was misconfigured.

A data packet capture file is needed for troubleshooting network communication issues.

What is the Logjam vulnerability? Another flaw has been found in the basic encryption algorithms that secure the Internet. This flaw, named the Logjam attack (CVE-2015-4000) by its discoverers (researchers from various universities and companies), allows an attacker that can carry out man-in-the-middle attacks to weaken the encryption used in secure connections (such as HTTPS, SSH, and VPNs). In theory, this means that an attacker (with sufficient resources) can break the encryption and read the “secure” traffic. Logjam’s activities are reminiscent of the FREAK vulnerability discovered in March. FREAK forces a secure connection to utilize weaker encryption that makes it easy for cybercriminals to pounce on sensitive information. The difference with Logjam is that the problem lies in a weakness found on the Diffie-Hellman key exchange. Websites and email servers make use of SSL (Secure Sockets Layer) or TLS (Transport Layer Security) protocols to create a secure connection among users. The Diffie-Hellman key exchange is primarily responsible for the communication and exchange of encryption keys that are used to secure a connection. The Logjam attack makes it easy to lower TLS connections to the level of those that use 512-bit “export-grade” encryption. In turn, cybercriminals can dupe a server into accepting weaker encryption, thinking it is secure enough. This then gives them the chance to intercept the data that passes through the connection. Who is impacted by Logjam? Theoretically, any protocol that uses the Diffie-Hellman key exchange is at risk from this attack. However, note that this attack requires two factors on the part of the attacker: the ability to intercept traffic between the secure server and the client, as well as significant computation resources.

On December 30, 2016, Trend Micro released SPLX 3.0 SP1 Patch 7 (EN), which is a cumulative patch that includes previous hot fixes and enhancements from SPLX 3.0 Patch 6. The patch is now available in the Download Center.This patch also includes agent platform support for Redhat 7, CentOS 7, and SUSE 12.

ServerProtect for Linux (SPLX) 3.0 Critical Patch 1531 is now posted in the Download Center of Trend Micro. This critical patch fixes a CSRF vulnerability and upgrades the Apache server/OpenSSL module. Applying this critical patch is recommended.

Release Date: December 27, 2016Trend Micro Vulnerability Identifier(s): 2016-0212CVE Number(s): Platform(s): Linux Trend Micro has a released critical patch for Trend Micro ServerProtect for Linux (SPLX) 3.0. This patch resolves a vulnerability in the product that could potentially allow a remote attacker to execute arbitrary code on vulnerable installations.

Updated: August 30, 2018  On August 22, 2018, The Apache Software Foundation issued a critical security bulletin (S2-057) after security researchers discovered a remote code execution (RCE) vulnerability in the popular open-source Java-based web application development framework.   The vulnerability has been assigned the following CVE identifier:  CVE-2018-11776. Information on Trend Micro protection/detections for this vulnerability, as well as any product information regarding potential Trend Micro products that may be affected can be found below.   For more detailed background on the vulnerability itself, please visit the following Trend Micro Blog:  Critical Remote Code Execution Vulnerability (CVE-2018-11776) Found in Apache Struts.