Trend Micro™ TippingPoint™

Security Management System

Release Notes
Version 6.4.0

To ensure that you have the latest versions of product documentation, visit the Online Help Center.

• If you are upgrading from an earlier version, refer to the release notes of any interim releases for additional
enhancements.

• If your SMS system is operating in High Availability (HA) mode, you must break HA and upgrade
each SMS independently before re-establishing your SMS HA cluster.

• Upgrades to this release version require TLS v1.2 to be enabled for SMS client communication
before beginning the upgrade process.

• SMS v6.4.0 upgrades are only supported from an SMS installed with SMS v6.2.x or later. Attempts to
upgrade from an older release will return an error.

• Any earlier version of SMS running in FIPS Crypto Core mode with a 1024-bit certificate cannot be
upgraded to SMS v6.4.0. A 2048-bit (or 2k) certificate is required.

• SMS v6.4.0 ships with Digital Vaccine (DV) versions 3.2.0.9972 and 4.0.0.9972.

• The time required to upgrade will vary based on the version from which you are upgrading and the
quantity of data to migrate. Learn more.

• For information about third party and open source licenses, refer to the Third-Party Licensing document.

1 Security Management System Release Notes

Product version compatibility

Any upgrade to v6.4.0 on an SMS that is managing an unsupported device will fail. Both a UI dialog and a system
log message will indicate which devices need to be deleted first. Likewise, restoring a pre-v6.4.0 version that
includes unsupported managed devices will succeed only after the restore automatically deletes those devices
(indicated in the system log). For a list of currently supported TPS devices and any scheduled End of Life dates,
refer to the TippingPoint End of Life (EOL) dates.

For TPS and vTPS managed devices, your SMS must have the same or later version of the TOS that the managed
device has. For example:

• Correct: SMS v6.4.0 managing TPS v6.4.0

• Incorrect: SMS v6.3.0 managing TPS v6.4.0

Note: As a best practice, be sure to update the SMS before upgrading the device TOS.

Software updates and migration

You cannot upgrade any SMS or vSMS from a version that is no longer supported. Learn more about which
versions are no longer supported.

• Upgrading SMS on Gen6 hardware is not supported. Learn more in Product Bulletin 1041. Gen6 is a
hardware platform that shows as system model SMS H1 in the SMS CLI. To determine your system
model, run the get sys.model command from the SMS CLI:

smsname SMS=> get sys.model

System model (sys.model) = SMS H1

Attempting to upgrade to this release on Gen6 hardware will return an error.

• Upgrades to this release version require TLS v1.2 to be enabled for SMS client communication before
beginning the upgrade process.

• You must upgrade the SMS from SMS v6.2.0 or later. If you are upgrading from a release earlier than
v6.2.0, you must first upgrade to SMS v6.2.0, log in to the SMS to activate a Digital Vaccine, and then
upgrade to v6.4.0. Learn more.

• If your SMS system is operating in High Availability (HA) mode, you must break HA and upgrade each SMS
independently before re-establishing your SMS HA cluster.

The estimated times noted in the following table apply to users upgrading from SMS v6.2.0. You can monitor your
upgrade status from the VGA console or virtual console.

Step Task Process Estimated time SMS status

1 Download upgrade package. Manual Varies1 Available

2 Install upgrade package. Manual 10-15 minutes Unavailable

3 Migrate data. Automatic 30 minutes2 Unavailable

2 Security Management System Release Notes

 1)
Network speed determines the time to download a 515+ GB file.
2)
Depends on the amount of data to migrate. An SMS with User URL Reputation configured can last an additional one to three
hours. The SMS automatically reboots after step 2 and is not available for logins until step 3 has completed. Do not reboot
the SMS during this time.

Release contents

Description Reference

This release introduces the next generation of SMS appliances, the Dell PowerEdge R660 New
SMS H5 and H5 XL rack servers, for greater available storage. Refer to the SMS H5/H5 XL
Appliance Guide on the Online Help Center.

Support for a new type of Reputation filtering enables users to alert and/or block malicious files New
according to their hash values.
You can add as many as 35,000 SHA-1 or SHA-256 file hashes of any type to the Reputation
Database. In this release, file hash is applied to http (or https when decrypting) get requests,
for all files except the following:
• HTML
• Audio or video
• Font
• Files larger than 50 MB
When the Suspicious Object Sync connectivity setting to Trend Vision One is enabled, the
SMS can now pull SHA-1/SHA-256 file hashes from Trend Vision One into the SMS reputation
database, along with IPv4/IPv6 addresses, Domain name entries, and URLs.
File Hash Reputation does not support an action set with a Rate Limit flow control. For those
entries, you can change the action set to one with a different flow control type or remove file
hashes from the entry criteria.
Users upgrading to v6.4.0 must ensure that they also activate the corresponding Digital
Vaccine (DV) version, 3.2.0.9962 in order to use file hash Reputation filtering.

By using the Let's Encrypt (LE) CA for ACME certificate requests, TLS certificate renewal is New
automated. You no longer have to manually request TLS certificates and keys from a
protected web server for the initial TLS configuration and then again every time these assets
expire. Automation includes:

• Certificate Issuance. Automatically obtain a new certificate when needed.

• Validation. Verify domain ownership without manual intervention.

• Installation. Install and configure the CA-signed certificate for transparent inspection of
encrypted web traffic.

3 Security Management System Release Notes

 Server name indication (SNI) filtering has been added to the Domain Suspicious Objects New
database. The TLS handshake inspection this provides enables you to filter servers by FQDN
instead of wildcarded URLs, while sustaining the ability to inspect encrypted traffic without
having to decrypt.
In addition, Domain reputation filtering has been enhanced to support wildcards, allowing
filtering by country code or top-level domains.

The Digital Vaccine (DV) has a new deployment setting, Evaluation, which uses the same New
filters that are enabled in the Default deployment mode, but with a Permit+Notify posture
instead of Block.
Note: Certain traffic normalization filters that detect malformed IP packets must remain
configured to Block.
For any filters that have a recommended configuration of Block, you must manually override
the default setting and set them to Block yourself prior to distribution of the new DV that
contains the Evaluation deployment mode. If the DV with the new Evaluation mode is
deployed without this manual override, any profile that uses the new Evaluation deployment
mode will have its existing default Block filters modified to Permit+Notify after the profile is
distributed to the device.

This release adds support for TLS 1.3, delivering enhanced security, faster performance, and New
a streamlined protocol for improved reliability and efficiency.

A new punycode parameter has been added to the repEntries/query?dns SMS API TIP-119878
call. This parameter causes the output from a DNS query to show punycode-encoded domain
names instead of unicode domain names.

The following host key algorithms are no longer supported for SSH access to the SMS: TIP-124500

• ecdsa-sha2-nistp256

• ecdsa-sha2-nistp384

• ecdsa-sha2-nistp521

The SMS no longer uses the following ports: TIP-122285

• 10042

• 10043

• 1098

• 1099

• 4444

This release fixes an issue that prevented users from accessing the SMS web management TIP-126039
console after a reboot. PCT-36927

In addition to x86 (Intel) processors, the SMS client can now also use ARM (Apple Silicon) TIP-107667
processors. PCT-2003

4 Security Management System Release Notes

 From the SMS Web interface, download the MacOS SMS client installer specifically designed
for ARM-based CPUs and begin the upgrade process. Upgrades from a client version
previous to v6.4.0 on MacOS 15 and later will fail because of a known issue with the Rosetta
2 emulator.

To improve scale and resilience, packet traces generated when a filter is matched can now be TIP-101055
included as part of the syslog message output from SMS to a SIEM/collector. This can
improve scale and helps avoid challenges related to matching pcap files with security events.

TIP-129720
An audit log spamming condition that caused the TPS disk to show as full has been repaired.
PCT-45160

TIP-128963
This release fixes a status display issue for 8600TXE fans and power supplies.
PCT-43558

The KVM console readout no longer continuously shows disconnects and reconnects of the TIP-128659
keyboard and mouse after an upgrade. PCT-42102

When exporting a device configuration from SMS, the file no longer stores SNMP passwords TIP-127960
in plain text. PCT-39454

This release fixes incorrect file permissions on the smsportfwd file that could cause a loss of TIP-126039
access to the SMS Web interface. PCT-36927

When you disable SMS High Availability with the intention of using the SMSs independently, if TIP-131092
Trend Vision One integration has been used, the passive SMS must be factory reset. Do not
disconnect from Trend Vision One prior to the factory reset.

An issue that caused SOAP Daemon: Fault returned to SMS ‘Error getting TIP-112692
TIP-117214
noisy security policies from TOS’ to repeatedly display in the system log has been
PCT-1740
fixed. SEG-170389

TIP-117866
Filter exceptions no longer permit invalid IP ranges to be entered.
PCT-20092

TIP-117711
This release removes the diffie-hellman-group14-sha1 SSH key algorithm.
PCT-17718

Two SMS Web Server vulnerabilities, No Same site attribute: JSESSIONID and TIP-119418
Slowloris Denial of service vulnerability, are addressed by an upgrade to the TIP-119417
Java environment (Wildfly) in this release. PCT-23692

This release fixes an SMS Java Version Disclosure vulnerability through an upgrade to the TIP-117409
Java environment (Wildfly). PCT-1315

TIP-128956
This release fixes an issue where multiple versions of snapshots were all marked as “Allow
TIP-110115
Restore.”
PCT-41490

5 Security Management System Release Notes

 TIP-107858
This release fixes an issue where Scheduled Reports erroneously displayed as empty.
PCT-1708

TIP-107098
The help screen for the ThreatDV URL Lookup now displays correctly.
PCT-3181

An issue that prevented profile distribution with the failed to build url error has been TIP-106751
resolved. PCT-2006

Users no longer have to remove all leading or trailing spaces in their filter names (including TIP-123602
Traffic Management, Advanced DDoS, Reputation, and SSL inbound/outbound filters) during
an upgrade.

Both HA nodes require an SMS certificate key size of 2048 bits before HA is configured. TIP-129960

An issue was fixed on historical port graphs that caused the y-axis port speed labels to TIP-118419
sometimes display incorrectly. PCT-19499

Enhancements in this release prevent data duplication for events in the remote syslog that TIP-120358
could occur under rare conditions: PCT-7954

• New preference setting for events. A new system preference setting, Retrieve New
Events/Logs Only, restricts the SMS to examining only recent entries from a device
when the last fetched event is indeterminate or the device is newly managed. This is
enabled by default.

• Event transmission control. To further reduce data duplication and to ensure the
relevance and efficiency of data transmission, the system now restricts transmitting
remote syslog server events to those generated within the last 24 hours.

Attempts to connect to the passive SMS in an HA configuration now automatically get TIP-120069
redirected to the active SMS.

6 Security Management System Release Notes

Known issues

Description Reference

When restoring a snapshot from SMS after changing the master key, wait a few minutes
before attempting to restore the snapshot so that the SMS and the device can properly sync TIP-129644
up.

When you change any sFlow IP Address, an exception error is returned even though the
TIP-130872
update succeeds on both the device and the SMS.

Disabling TLS 1.2 for “SMS connecting to Device/TMC/LDAP” will disrupt the connection to
TIP-128681
TMC and block access to the latest software updates.

When you edit a stack name using the SMS client’s Edit button, resilience and SRD
configuration will not work. You will have to delete the stack and re-create it to change these TIP-131001
values.

After an upgrade to v6.4.0, Dell H4 platforms might show an amber LED and return the
following hardware system error in iDRAC:
A fatal error was detected on a component at bus 2 device 0 function PCT-53957
0.

This known issue can be ignored and will be fixed in the next SMS release.

The Access SMS Web Services capability (Edit Role > Capabilities > Admin > Admin
Section > SMS Management > Access Management) is required for downloading the client
install image, upgrading or patching the client, or accessing files from Exports and Archives TIP-134519
through the Web UI.
Users with Admin or Operator roles must get a Superuser to configure this.

The SMS v6.4.0 client fails to launch if the user lacks write permissions on the Logs directory.

To resolve this, grant write permissions to the user on the Logs directory (C:\Program TIP-134851
Files\TippingPoint SMS Client\Logs on Windows).

Product support

For assistance, call one of the TippingPoint numbers on the Contact Support site.

© Copyright 2024 Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo, Trend Vision One, TippingPoint, the
TippingPoint logo, and Digital Vaccine are trademarks or registered trademarks of Trend Micro Incorporated. All other company and/or product
names may be trademarks of their respective owners.

7 Security Management System Release Notes