TippingPoint Security Management System 6.2.0 / TippingPoint Threat Protection System 6.2.0 が以下の通り公開されました。
■公開開始日
2024年01月18日 (木)機能等の詳細につきましては以下のドキュメント(英語)をご覧ください。
Security Management System 6.2.0 Release Notes
Threat Protection System 6.2.0 Release Notes
TippingPoint Product Announcement
■入手方法
Trend Micro TippingPoint Threat Management Center(TMC)からアップグレード用のモジュールやドキュメントをダウンロード
することができます。
※ログインには TMC アカウントが必要です。■導入手順
サポート情報 : トレンドマイクロ
導入手順につきましてはOnline Help Centerからダウンロードできるインストールガイドやユーザーガイドをご参照ください。
※ドキュメントは全て英語です。
Release contents
Description Reference Enhancements to Trend Vision OneTM integration include:
• TLS Network Telemetry for efficient monitoring and analysis of events in real time
• Suspicious Object Sync no longer requires a Service Gateway
• A Disconnect button on the Connect to Trend Vision One page to conveniently disconnect your SMS locally instead of using Trend Vision One’s Product Connector
• Network Intrusion Prevention operations in Trend Vision One now can simulate traffic that triggers specified IPS filters associated with your integrated SMS. These simulated attacks correspond to Inspection Events on the SMS Client and can be viewed from the Trend Vision One Workbench.
To learn more, refer to the Integrating SMS with Trend Vision One Software Guide.New This release provides the ability to leverage Server Name Indicator (SNI) extensions to expediently check entries in the Reputation Database and block specific HTTPS traffic without relying on TLS decryption and HTTPS Get requests. New The SMS CLI provides two new commands:
• ntp.status – Lists the status of all SMS NTP servers by their IP address.
• ntp.clients – Lists NTP clients/hosts that have successfully polled the SMS to synchronize their time.
To learn more about these commands, refer to the SMS CLI Reference.New For idle user sessions, the SMS can now lock the session until a user provides authentication to unlock it. New The SMS now supports multiple CAC reader cards that are attached to the user’s system. New The SMS can now log the IP addresses of all the endpoints (including Syslog, Radius, and AD servers) with which it communicates. This feature is turned off by default. New During an upgrade to TOS v6.2, an SMS with an outdated 1K certificate key automatically contacts the TMC up to three times to install any available 2K certificate key. If a more secure 2K key fails to be installed, the resulting entry in the system log will indicate to your TAC representative options for remediation. Normal SMS operations will not be affected. TIP-101050 This release enhances the automation of DV updates without relying on client access for distribution. TIP-101061 The SMS extends its certificate support to include Elliptic Curve Digital Signature Algorithms (ECDSA) with secp224rl, secp384rl, and prime256v1 curves. ECDSA certificates can be used for TLS inspection configuration only. Support for ECDSA ciphers has also been added. TIP-101058 SMS file uploads to TPS 440T and 2200T devices no longer fail with a File too big error. TIP-93110
PCT-1741
SEG-180383The SMS OpenSSL version has been upgraded to version 3.0.8. TIP-102893 An OpenSSH vulnerability (CVE-2023-48795) that enabled attackers to manipulate sequence numbers during the SSH handshake has been repaired in this release. TIP-107615 An issue affecting outbound SSL Client Proxy configurations has been fixed so that the Decrypted Service value can now be set to something besides . TIP-106043 This release improves performance for the function that exports Trace Events from TPS devices to the SMS. TIP-101057
Release contents
Description Reference This release includes support for vTPS device deployments.
Note: Beginning with TOS v6.2.0, a vTPS device can be run only in Performance mode, and the host CPU must support the AVX2 instruction set. For information on all other deployment requirements, refer to the Virtual Threat Protection System (vTPS) User Guide.New This release enhances SSH by removing weak algorithms. The improved SSH configuration replaces the existing one when you upgrade the device to TOS v6.2.0. You can use the CLI to add and remove any supported algorithms. New You can now import your own X509 certificates to SMS-managed TX and TXE devices without affecting management functionality or encountering compatibility issues. Import the X509 certificates using the new https-certificate CERTIFICATE-NAME command. Remove the certificate using the new delete https-certificate CERTIFICATE-NAME command. New Beginning with TOS v6.2.0, TPS devices support TLS inspection of traffic encrypted with ECDSA. New A file handle leak that risked system instability over time has been fixed. TIP-94031 TPS devices no longer support the DES privacy protocol for SNMPv3 Users or SNMPv3 Trap Destinations. Update any users/trap destinations that use DES to use the AES privacy protocol instead. Otherwise, the device will ignore any users/trap destinations that are using DES, and a system log error will be generated for each invalid configuration item. TIP-101939 An issue where a heavily configured device could fail to upgrade properly and cause a rollback has been fixed. TIP-107012
PCT-9125This release fixes a segmentation fault that could cause the device to go into Layer 2 Fallback mode. TIP-107008
PCT-7265An OpenSSH vulnerability (CVE-2023-48795) that enabled attackers to manipulate sequence numbers during the SSH handshake has been repaired in this release. TIP-107615 TOS v6.2.0 now supports FIPS mode. An upgrade from TOS v5.5.5 with FIPS mode enabled will succeed without an incorrect FIPS mode status. TIP-94157 The bypass light on a TX device no longer remains on regardless of the bypass condition. TIP-94280
SEG-189492An issue that prevented encryption mode in TRHA has been fixed. TIP-104679
PCT-2907This release includes updates that improve network stability. TIP-102599 This release fixes a memory leak issue in switch code. TIP-107948 A discrepancy that caused the output of “Show NP Tier Stats” in the Stack Segment Ports section to display the incorrect value for each device in the stack has been fixed. TIP-105781
PCT-5752An issue with the device CLI misreporting speed/duplex values in the management interface when auto-negotiation is disabled has been fixed. PCT-2030
Security Management System (SMS) v6.2.0
The TippingPoint SMS delivers enterprise-class security management capabilities for the TippingPoint
Network Security Products portfolio.
- SMS TOS v6.2.0 release provides the following enhancements:
- Important SMS Note(s):
- Due to CentOS 7 support ending June 30, 2024, SMS v6.2.0 has migrated to Rocky Linux 9.
- IMPORTANT: The size of the SMS TOS v6.2.0 installation package exceeds the limit of the SMS Software auto-download function on all current TOS versions of SMS. To install SMS TOS v6.2.0, customers must manually download the package from TMC and import it to their SMS server(s).
- It is highly recommended to upgrade to v6.2.0 at your earliest convenience to avoid any compliance issues that may be encountered running CentOS 7 after the end of support.
- SMS TOS v6.2.0 supports TPS TOS v6.2.0 appliances and backward compatibility for previously supported versions.
- SMS TOS v6.2.0 upgrades are only supported on SMS devices installed with SMS TOS v5.4.1 or later. Attempts to upgrade from an older release will return an error.
- If your SMS system operates in High Availability (HA) mode, you must break HA and upgrade each SMS independently before re-establishing your SMS HA cluster.
