RELEASE NOTES FOR UPDATE PACKAGE 1128-5242

RELEASE DATE:	Wednesday January 23, 2019
MD5 CHECKSUM:	d6f91232c4c35441fc843ca4cbe80080
SHA1 CHECKSUM:	a1239999317ce7db3ab23fad5c084c144dc01127
SHA256 CHECKSUM:	1539dbfe29cf420357fc1dd4d74e6f049da9986919308eba7d1695fca425d148

UPDATE CRITICALITY: HIGH

MINIMUM SOFTWARE VERSIONS

- Forcepoint NGFW Security Management Center:	5.10.1.10027
- Forcepoint NGFW:	5.5.1.9848

This update package improves the detection capabilities of the Forcepoint NGFW system.

List of detected attacks in this update package:

Risk level	Description	Reference	Vulnerability
High	An attempt to exploit a vulnerability in Microsoft Windows detected	CVE-2017-11885	Microsoft-Windows-RRAS-Service-Out-Of-Bounds-Access
High	An attempt to exploit a vulnerability in PostgreSQL PostgreSQL detected	CVE-2017-7546	PostgreSQL-Database-Core-Server-Non-libpq-Client-Policy-Bypass
High	An attempt to exploit a vulnerability in LibVNCServer Development Team LibVNCServer detected	CVE-2018-6307	Libvnc-Libvncserver-Tight-File-Transfer-Extension-Use-After-Free
High	Obfuscated VBScript detected	No CVE/CAN	VBScript-Scripting-Detected
High	Obfuscated VBScript detected	No CVE/CAN	VBScript-Scripting-Detected

Detected Attacks
Other Changes

DETECTED ATTACKS

NEW DETECTED ATTACKS:

TCP SMB Client Stream

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	Microsoft-Windows-RRAS-Service-Out-Of-Bounds-Access	CVE-2017-11885	SMB-TCP_Microsoft-Windows-RRAS-Service-Out-Of-Bounds-Access	Suspected Compromise

TCP Client Stream Unknown

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	PostgreSQL-Database-Core-Server-Non-libpq-Client-Policy-Bypass	CVE-2017-7546	Generic_CS-PostgreSQL-Database-Core-Server-Non-libpq-Client-Policy-Bypass	Suspected Compromise
High	Libvnc-Libvncserver-Tight-File-Transfer-Extension-Use-After-Free	CVE-2018-6307	Generic_CS-Libvnc-Libvncserver-Tight-File-Transfer-Extension-Use-After-Free	Suspected Compromise

Text File Stream

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	VBScript-Scripting-Detected	No CVE/CAN	File-Text_Obfuscated-VBScript-Char-Execute-Detected	Suspected Compromise
High	VBScript-Scripting-Detected	No CVE/CAN	File-Text_Obfuscated-VBScript-Shell-Detected	Suspected Compromise

UPDATED DETECTED ATTACKS:

TCP SMB Client Stream

Risk

Vulnerability/Situation

References

Related Fingerprint

Situation Type

Change Description

Critical

Windows-Search-Service-Out-Of-Bounds-Vulnerability-CVE-2017-8543

CVE-2017-8543

SMB-TCP_Windows-Search-Service-Out-Of-Bounds-Vulnerability-CVE-2017-8543-2

Compromise

Description has changed

Fingerprint regexp changed

Critical

Windows-Search-Service-Out-Of-Bounds-Vulnerability-CVE-2017-8543

CVE-2017-8543

SMB-TCP_Windows-Search-Service-Out-Of-Bounds-Vulnerability-CVE-2017-8543

Compromise

Description has changed

Fingerprint regexp changed

Text File Stream

Risk

Vulnerability/Situation

References

Related Fingerprint

Situation Type

Change Description

High

Php-Script-External-Command-Execution

No CVE/CAN

File-Text_Php-Script-External-Command-Execution-Download-2

Potential Compromise

Fingerprint regexp changed

Low

Generic-Shared-Variables

No CVE/CAN

File-Text_Shared-Variables

System Inspections

Fingerprint regexp changed

Other Binary File Stream

Risk

Vulnerability/Situation

References

Related Fingerprint

Situation Type

Change Description

High

McAfee-Epolicy-Orchestrator-Datachannel-Guid-SQL-Injection

CVE-2016-8027

File-Binary_McAfee-Epolicy-Orchestrator-Datachannel-Guid-SQL-Injection

Suspected Compromise

Name: File-Text_McAfee-Epolicy-Orchestrator-Datachannel-Guid-SQL-Injection->File-Binary_McAfee-Epolicy-Orchestrator-Datachannel-Guid-SQL-Injection

Context has changed from Text File Stream to Other Binary File Stream

LIST OF OTHER CHANGES

NEW OBJECTS:

Type	Name
Category	MS2017-12
Situation	Logitech Updater
Situation	Firefox Updater
Situation	TeamViewer
Situation	Paint.net
Situation	ChromecastApp
Situation	Unity Gaming Engine
Situation	Unidentified Ubisoft Application
Situation	Take-Two Interactive Software
Situation	Logitech Gaming Framework
Situation	Unidentified Electronic Arts Application
Situation	File-Text_Malicious-Metasploit-Function-In-Script
Situation	File-Text_Remote-VBScript-Loaded

UPDATED OBJECTS:

Type

Name

Changes

Network Element

TOR exit nodes

Application

Flyproxy

Category tag application_usage Anonymizers/Proxies added

Category tag application_usage Tunneling removed

Application

HideMyTRAX-Proxy

Category tag application_usage Anonymizers/Proxies added

Category tag application_usage Tunneling removed

Application

UltraProxy

Category tag application_usage Anonymizers/Proxies added

Category tag application_usage Tunneling removed

Application

Suresome

Category tag application_usage Anonymizers/Proxies added

Category tag application_usage Tunneling removed

Application

Tor2web

Category tag application_usage Anonymizers/Proxies added

Category tag application_usage Tunneling removed

Application

Bind2

Category tag application_usage Anonymizers/Proxies added

Category tag application_usage Tunneling removed

Application

MyAddr

Category tag application_usage Anonymizers/Proxies added

Category tag application_usage Tunneling removed

Application

Windows-Azure-Blob

Category tag application_usage Infrastructure Services added

Category tag application_usage File Sharing removed

Application

Akamai-NetSession-Interface

Category tag application_usage Infrastructure Services added

Category tag application_usage File Sharing removed

Application

TeamViewer

Category tag application_type Web Applications added

Category tag application_group Application Routing added

Category tag application_type Protocols removed

Application detection context content changed

Application

Akamai-Edgesuite

Category tag application_usage Infrastructure Services added

Category tag application_usage File Sharing removed

Application

Stealthy

Category tag application_usage Anonymizers/Proxies added

Category tag application_usage Tunneling removed

Application

SSLpro

Category tag application_usage Anonymizers/Proxies added

Category tag application_usage Tunneling removed

Application

ProxyLocal

Category tag application_usage Anonymizers/Proxies added

Category tag application_usage Tunneling removed

Application

000FreeProxy

Category tag application_usage Anonymizers/Proxies added

Category tag application_usage Tunneling removed

Application

Windows-Azure-CDN

Category tag application_usage Infrastructure Services added

Category tag application_usage File Sharing removed

Application

Rxproxy

Category tag application_usage Anonymizers/Proxies added

Category tag application_usage Tunneling removed

Application

JonDonym-Anonymous-Proxy

Category tag application_usage Anonymizers/Proxies added

Category tag application_usage Tunneling removed

Application

MySSLProxy

Category tag application_usage Anonymizers/Proxies added

Category tag application_usage Tunneling removed

Application

kkProxy

Category tag application_usage Anonymizers/Proxies added

Category tag application_usage Tunneling removed

Application

Microsoft-Azure-Application-Proxy

Category tag application_usage Anonymizers/Proxies added

Category tag application_usage Tunneling removed

Application

Amazon-S3

Category tag application_usage Infrastructure Services added

Category tag application_usage File Sharing removed

Application

Amazon-CloudFront

Category tag application_usage Infrastructure Services added

Category tag application_usage File Sharing removed

Application

Akamai

Category tag application_usage Infrastructure Services added

Category tag application_usage File Sharing removed

Application

Hola Unblocker

Category tag application_usage Anonymizers/Proxies added

Category tag application_usage Tunneling removed

Application

Proxify

Category tag application_usage Anonymizers/Proxies added

Category tag application_usage Tunneling removed

IPList

Microsoft Azure datacenter

IPList

TOR relay nodes IP Address List

IPList

Microsoft Azure datacenter INDIACENTRAL

IPList

Ransomware Payment Site IP Address List

IPList

Forcepoint Cloud Service Data Centers

IPList

Microsoft Azure datacenter CANADACENTRAL

IPList

TOR exit nodes IP Address List

IPList

Amazon AMAZON

IPList

Microsoft Azure datacenter USEAST2

IPList

Microsoft Azure datacenter USSOUTH

IPList

Microsoft Azure datacenter USWEST2

ACTIVATING THE UPDATE PACKAGE

1.	Ensure that the SHA256 checksum of the update package are correct.
2.	Open Admin Tools in the SMC GUI client.
3.	Right-click on the Updates folder and select "Import Update Packages".
4.	Right-click on the imported package and select Activate.
5.	Reinstall the system policy to take the changes into use. Custom policies may require manual updating.

DISCLAIMER AND COPYRIGHT

The information in this document is provided only for educational purposes and for the convenience of Forcepoint customers. The information contained herein is subject to change without notice, and is provided "AS IS" without guarantee or warranty as to the accuracy or applicability of the information to any specific situation, circumstance, or system configuration - use at your own risk. Forcepoint does not warrant or endorse any third-party products described herein. Forcepoint™ is a trademark of Forcepoint, LLC. SureView®, ThreatSeeker®, Triton®, Sidewinder®, and Stonesoft® are registered trademarks of Forcepoint, LLC. Raytheon® is a registered trademark of Raytheon Company. All other trademarks and registered trademarks are the property of their respective owners. Copyright © 2000-2019 Forcepoint LLC. All rights reserved.