RELEASE NOTES FOR UPDATE PACKAGE 1127-5242

RELEASE DATE:	Friday January 18, 2019
MD5 CHECKSUM:	e95a57f72b487d0a26ea51cd3b7b4efe
SHA1 CHECKSUM:	bb1b25714531a45145def531ee73a73fc7cb5039
SHA256 CHECKSUM:	a5a345d014ebe816ed823347b60d798ea2aeff0ebc409d40b385f97121335755

UPDATE CRITICALITY: HIGH

MINIMUM SOFTWARE VERSIONS

- Forcepoint NGFW Security Management Center:	5.10.1.10027
- Forcepoint NGFW:	5.5.1.9848

This update package improves the detection capabilities of the Forcepoint NGFW system.

List of detected attacks in this update package:

Risk level	Description	Reference	Vulnerability
High	An attempt to exploit a vulnerability in NetGear detected	CVE-2017-5521	NetGear-Administrator-Password-Disclosure
High	An attempt to exploit a vulnerability in Rockwell Automation RSLinx Classic detected	CVE-2018-14821	Rockwell-Automation-Rslinx-Classic-Cip-Sendrrdata-Heap-Buffer-Overflow
High	An attempt to exploit a vulnerability in Metasploit msfd detected	No CVE/CAN	Metasploit-msfd-Browser-Remote-Code-Execution
High	An attempt to exploit a vulnerability in Foxit Software Foxit Reader detected	CVE-2018-3956	Foxit-Reader-And-Phantompdf-Xfa-Xdpcontent-Information-Disclosure
High	An attempt to exploit a vulnerability in Microsoft Office 365 ProPlus detected	CVE-2018-8587	Microsoft-Outlook-Out-Of-Bounds-Vulnerability-CVE-2018-8587
High	An attempt to exploit a vulnerability in Microsoft Windows detected	CVE-2019-0547	Microsoft-Windows-DHCP-Client-CVE-2019-0547-Code-Execution

Detected Attacks
Other Changes

DETECTED ATTACKS

NEW DETECTED ATTACKS:

BOOTP Server Stream

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	Microsoft-Windows-DHCP-Client-CVE-2019-0547-Code-Execution	CVE-2019-0547	BOOTP_SS-Microsoft-Windows-DHCP-Client-CVE-2019-0547-Code-Execution	Suspected Compromise

TCP Client Stream Unknown

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	Rockwell-Automation-Rslinx-Classic-Cip-Sendrrdata-Heap-Buffer-Overflow	CVE-2018-14821	Generic_CS-Rockwell-Automation-Rslinx-Classic-Cip-Sendrrdata-Heap-Buffer-Overflow	Suspected Compromise

HTTP Request URI

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	NetGear-Administrator-Password-Disclosure	CVE-2017-5521	HTTP_CSU-NetGear-Administrator-Password-Disclosure	Suspected Compromise

Text File Stream

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	Metasploit-msfd-Browser-Remote-Code-Execution	No CVE/CAN	File-Text_Metasploit-msfd-Browser-Remote-Code-Execution	Suspected Compromise

Other Binary File Stream

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	Microsoft-Outlook-Out-Of-Bounds-Vulnerability-CVE-2018-8587	CVE-2018-8587	File-Binary_Microsoft-Outlook-Rwz-CVE-2018-8587-Integer-Overflow	Suspected Compromise

PDF File Stream

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	Foxit-Reader-And-Phantompdf-Xfa-Xdpcontent-Information-Disclosure	CVE-2018-3956	File-PDF_Foxit-Reader-And-Phantompdf-Xfa-Xdpcontent-Information-Disclosure	Suspected Compromise

LIST OF OTHER CHANGES

NEW OBJECTS:

Type	Name
Category	Rockwell Automation RSLinx Classic
Service	GTP Charging Transfer (UDP)
Service	GTP Charging Transfer (TCP)
Situation	IP_Hidden-Cobra-APT-Sites

UPDATED OBJECTS:

Type	Name	Changes
Network Element	TOR exit nodes
IPList	Microsoft Azure datacenter CANADAEAST
IPList	Microsoft Azure datacenter
IPList	TOR relay nodes IP Address List
IPList	Microsoft Azure datacenter AUSTRALIAEAST
IPList	Microsoft Azure datacenter CANADACENTRAL
IPList	TOR exit nodes IP Address List
IPList	Amazon AMAZON

ACTIVATING THE UPDATE PACKAGE

1.	Ensure that the SHA256 checksum of the update package are correct.
2.	Open Admin Tools in the SMC GUI client.
3.	Right-click on the Updates folder and select "Import Update Packages".
4.	Right-click on the imported package and select Activate.
5.	Reinstall the system policy to take the changes into use. Custom policies may require manual updating.

DISCLAIMER AND COPYRIGHT

The information in this document is provided only for educational purposes and for the convenience of Forcepoint customers. The information contained herein is subject to change without notice, and is provided "AS IS" without guarantee or warranty as to the accuracy or applicability of the information to any specific situation, circumstance, or system configuration - use at your own risk. Forcepoint does not warrant or endorse any third-party products described herein. Forcepoint™ is a trademark of Forcepoint, LLC. SureView®, ThreatSeeker®, Triton®, Sidewinder®, and Stonesoft® are registered trademarks of Forcepoint, LLC. Raytheon® is a registered trademark of Raytheon Company. All other trademarks and registered trademarks are the property of their respective owners. Copyright © 2000-2019 Forcepoint LLC. All rights reserved.