Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

SECURITY BULLETIN: Trend Micro TippingPoint TPS Security Advisory for CVE-2021-3449 (PB#1088)

    • Updated:
    • 17 Jun 2021
    • Product/Version:
    • TippingPoint TPS TPS 5.3.1
    • TippingPoint TPS TPS 5.3.1.1249
    • TippingPoint TPS TPS 5.3.2.1268
    • TippingPoint TPS TPS 5.4.0.1624
    • TippingPoint TPS TPS 5.4.1.1649
    • Platform:
Summary
An OpenSSL vulnerability (CVE-2021-3449) exists within Trend Micro TippingPoint TPS 5.3.0, 5.3.1, 5.3.2, 5.4.0, and 5.4.1 TOS versions that can cause the appliance to enter Layer-2 Fallback (L2FB) mode and stop inspecting network traffic.
Details
Public
Product Bulletin: 1088

Subject: Security Advisory – Update for OpenSSL Vulnerability (CVE-2021-3449)

Date of Announcement: June 4, 2021

Summary:

An OpenSSL vulnerability (CVE-2021-3449) exists within TPS 5.3.0, 5.3.1, 5.3.2, 5.4.0, and 5.4.1 TOS versions that can cause the appliance to enter Layer-2 Fallback (L2FB) mode and stop inspecting network traffic.

This vulnerability uses a maliciously crafted message within TLS1.2 renegotiation that causes the TLS Server used by TLS Inspection to halt. This halt forces the appliance to enter L2FB, during which time no traffic will be inspected.

Further details on this vulnerability can be found here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3449

Mitigations:

We have removed the vulnerable OpenSSL version and upgraded to the latest non-vulnerable version. This resolution will be included in the next TPS TOS release.

This mitigation can be applied now (before the next TPS TOS release) to remove the ability for renegotiation to occur. The mitigation will block the malicious renegotiation message from being incorrectly interpreted by the appliance; without adversely impacting system performance. This mitigation removes the vulnerability to this CVE.
 
To apply this mitigation, complete the following steps:
1.Run the following command at the appliance(s) CLI:
 debug ini-cfg modify netpal.ini.handle [SslInsp] npSslNoRenegotiation 1 create
2.Reboot the appliance(s)


For contact information, please click here

 
Premium
Internal
Partner
Rating:
Category:
Configure; Troubleshoot
Solution Id:
TP000286686
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.