RELEASE NOTES FOR UPDATE PACKAGE 1137-5242

RELEASE DATE:    Thursday February 28, 2019
MD5 CHECKSUM:    d3d07b5fb788e22cf4c7923d50f58905
SHA1 CHECKSUM:    67df5ad49c52a3082dff2ae3dbdc7e306939960e
SHA256 CHECKSUM:    25a0e81a81c716f407fc300aab51abbd1c644fb92884cd4cd383ea12127e13ff

UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Forcepoint NGFW Security Management Center:    5.10.1.10027
- Forcepoint NGFW:    5.5.1.9848

This update package improves the detection capabilities of the Forcepoint NGFW system.

List of detected attacks in this update package:
Risk levelDescriptionReferenceVulnerability
High     An attempt to exploit a vulnerability in Asterisk Open Source detected     CVE-2018-12227     Asterisk-pjsip-Endpoint-Presence-Disclosure
High     An attempt to exploit a vulnerability in libVNC LibVNCClient detected     CVE-2018-20020     Libvnc-LibVNCClient-Heap-Based-Buffer-Overflow
High     An attempt to exploit a vulnerability in Python detected     CVE-2019-5010     Python-SSL-X.509-Distributionpoint-Extension-Null-Pointer-Dereference
High     An attempt to exploit a vulnerability in Apache Software Foundation httpd detected     CVE-2019-0190     Apache-Httpd-Mod_SSL-TLS-Renegotiation-Denial-Of-Service
High     An attempt to exploit a vulnerability in OpenSSL detected     CVE-2018-0732     OpenSSL-Large-Dh-Parameter-Denial-Of-Service
High     An attempt to exploit a vulnerability in Node.js detected     CVE-2018-7162     Node.js-Foundation-Node.js-TLS-Denial-Of-Service
High     An attempt to exploit a vulnerability in phpMyAdmin detected     CVE-2018-19968     Phpmyadmin-Tbl_replace.php-Local-File-Inclusion
High     An attempt to exploit a vulnerability in Apache Software Foundation Subversion detected     CVE-2018-11803     Apache-Subversion-Mod_Dav_SVN-Denial-Of-Service
High     An attempt to exploit a vulnerability in Asterisk Asterisk Open Source detected     CVE-2018-12228     Asterisk-TLS-HTTP-Content-Length-Denial-Of-Service
High     An attempt to exploit a vulnerability in Kubernetes Dashboard detected     CVE-2018-18264     Kubernetes-Dashboard-Authentication-Bypass-Information-Disclosure
High     An attempt to exploit a vulnerability in TYPO3 detected     No CVE/CAN TYPO3-CMS-Phar-Insecure-Deserialization
High     An attempt to exploit a vulnerability in Zoho ManageEngine OpManager detected     CVE-2018-20338     Zoho-Manageengine-Opmanager-Alarms-Section-SQL-Injection
High     An attempt to exploit a vulnerability in LAquis SCADA detected     CVE-2018-18992     Laquis-Scada-Web-Server-Relatorioindividual-Titulo-Command-Injection
High     An attempt to exploit a vulnerability in Nuxeo Nuxeo detected     CVE-2018-16341     Nuxeo-Nuxeounknownresource-Expression-Language-Injection
High     An attempt to exploit a vulnerability in HP Intelligent Management Center detected     No CVE/CAN HPE-Intelligent-Management-Center-Iccselectcommand-Expression-Language-Injection
High     An attempt to exploit a vulnerability in strongSwan strongSwan detected     CVE-2018-10811     StrongSwan-OpenSSL-Plugin-Fips-Mode-Denial-Of-Service
High     An attempt to exploit a vulnerability in Adobe Systems ColdFusion (2016 release) detected     CVE-2018-4939     Adobe-ColdFusion-Dataservicescfproxy-Rome-Framework-Insecure-Deserialization
High     An attempt to exploit a vulnerability in Oracle GoldenGate Manager detected     CVE-2018-2914     Oracle-GoldenGate-Manager-Command-Report-DoS
High     An attempt to exploit a vulnerability in ZeroMQ libzmq detected     CVE-2019-6250     Zeromq-Libzmq-V2_Decoder-Integer-Overflow
High     An attempt to exploit a vulnerability in LibreOffice detected     CVE-2018-16858     LibreOffice-Macro-Event-Remote-Code-Execution
High     An attempt to exploit a vulnerability in Adobe Systems Acrobat 2017 detected     CVE-2019-7089     Adobe-Acrobat-And-Reader-PDF-XML-Stylesheet-Information-Disclosure
High     An attempt to exploit a vulnerability in Foxit Software Quick PDF Library detected     CVE-2018-20247     Foxit-Quick-PDF-Library-CVE-2018-20247-Denial-Of-Service
High     An attempt to exploit a vulnerability in RARLAB WinRAR detected     CVE-2018-20250     RARLAB-WinRAR-ACE-Remote-Code-Execution
High     An attempt to exploit a vulnerability in Microsoft Windows detected     CVE-2019-0616     Microsoft-Graphics-Device-Interface-Information-Disclosure-CVE-2019-0616
High     An attempt to exploit a vulnerability in FreeBSD Project bootpd detected     CVE-2018-17161     FreeBSD-Bootpd-Stack-Buffer-Overflow
High     An attempt to exploit a vulnerability in Microsoft Windows detected     CVE-2019-0626     Microsoft-Windows-DHCP-Server-Code-Execution-CVE-2019-0626
High     An attempt to exploit a vulnerability in BusyBox Project BusyBox detected     CVE-2018-20679     Busybox-Project-Busybox-Udhcp-Option-Out-Of-Bounds-Read
Low     An IKEv2 packet using PRF_HMAC_MD5 algorithm detected     CVE-2018-10811     StrongSwan-OpenSSL-Plugin-Fips-Mode-Denial-Of-Service

Detected Attacks
Other Changes

DETECTED ATTACKS

NEW DETECTED ATTACKS:

UDP Packet Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
Low StrongSwan-OpenSSL-Plugin-Fips-Mode-Denial-Of-Service CVE-2018-10811 Generic_UDP-IKEv2-IKE_Sa_Init-Using-PRF_GMAC_md5 Protocol Information
High StrongSwan-OpenSSL-Plugin-Fips-Mode-Denial-Of-Service CVE-2018-10811 Generic_UDP-StrongSwan-OpenSSL-Plugin-Fips-Mode-Denial-Of-Service Suspected Compromise

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Phpmyadmin-Tbl_replace.php-Local-File-Inclusion CVE-2018-19968 HTTP_CS-Phpmyadmin-Tbl_replace.php-Local-File-Inclusion Suspected Compromise
High Apache-Subversion-Mod_Dav_SVN-Denial-Of-Service CVE-2018-11803 HTTP_CS-Apache-Subversion-Mod_Dav_SVN-Denial-Of-Service Suspected Compromise
High Asterisk-TLS-HTTP-Content-Length-Denial-Of-Service CVE-2018-12228 HTTP_CS-Asterisk-TLS-HTTP-Content-Length-Denial-Of-Service Suspected Compromise

HTTPS Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Node.js-Foundation-Node.js-TLS-Denial-Of-Service CVE-2018-7162 HTTPS_CS-Node.js-Foundation-Node.js-TLS-Denial-Of-Service Suspected Compromise

HTTPS Server Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Python-SSL-X.509-Distributionpoint-Extension-Null-Pointer-Dereference CVE-2019-5010 HTTPS_SS-Python-Ssl-X.509-Distributionpoint-Extension-Null-Pointer-Dereference Suspected Compromise
High Apache-Httpd-Mod_SSL-TLS-Renegotiation-Denial-Of-Service CVE-2019-0190 HTTPS_SS-Apache-Httpd-Mod_SSL-TLS-Renegotiation-Denial-Of-Service Suspected Compromise
High OpenSSL-Large-Dh-Parameter-Denial-Of-Service CVE-2018-0732 HTTPS_SS-OpenSSL-Large-Dh-Parameter-Denial-Of-Service Suspected Compromise

BOOTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High FreeBSD-Bootpd-Stack-Buffer-Overflow CVE-2018-17161 BOOTP_CS-FreeBSD-Bootpd-Stack-Buffer-Overflow Suspected Compromise
High Microsoft-Windows-DHCP-Server-Code-Execution-CVE-2019-0626 CVE-2019-0626 BOOTP_CS-Microsoft-Windows-DHCP-Server-Code-Execution-CVE-2019-0626 Potential Compromise
High Busybox-Project-Busybox-Udhcp-Option-Out-Of-Bounds-Read CVE-2018-20679 BOOTP_CS-Busybox-Project-Busybox-Udhcp-Option-Out-Of-Bounds-Read Suspected Compromise

TCP Client Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Oracle-GoldenGate-Manager-Command-Report-DoS CVE-2018-2914 Generic_CS-Oracle-GoldenGate-Manager-Command-Report-DoS Suspected Compromise
High Zeromq-Libzmq-V2_Decoder-Integer-Overflow CVE-2019-6250 Generic_CS-Zeromq-Libzmq-V2_Decoder-Integer-Overflow Potential Compromise

TCP Server Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Adobe-ColdFusion-Dataservicescfproxy-Rome-Framework-Insecure-Deserialization CVE-2018-4939 Generic_SS-Adobe-ColdFusion-Dataservicescfproxy-Rome-Framework-Insecure-Deserialization Suspected Compromise

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Kubernetes-Dashboard-Authentication-Bypass-Information-Disclosure CVE-2018-18264 HTTP_CSU-Kubernetes-Dashboard-Authentication-Bypass-Information-Disclosure Suspected Compromise

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High TYPO3-CMS-Phar-Insecure-Deserialization No CVE/CAN HTTP_CRL-TYPO3-CMS-Phar-Insecure-Deserialization Suspected Compromise
High Zoho-Manageengine-Opmanager-Alarms-Section-SQL-Injection CVE-2018-20338 HTTP_CRL-Zoho-Manageengine-Opmanager-Alarms-Section-SQL-Injection Suspected Compromise
High Laquis-Scada-Web-Server-Relatorioindividual-Titulo-Command-Injection CVE-2018-18992 HTTP_CRL-Laquis-Scada-Web-Server-Relatorioindividual-Titulo-Command-Injection Suspected Compromise
High Nuxeo-Nuxeounknownresource-Expression-Language-Injection CVE-2018-16341 HTTP_CRL-Nuxeo-Nuxeounknownresource-Expression-Language-Injection Suspected Compromise
High HPE-Intelligent-Management-Center-Iccselectcommand-Expression-Language-Injection No CVE/CAN HTTP_CRL-HPE-Intelligent-Management-Center-Iccselectcommand-Expression-Language-Injection Suspected Compromise

SIP UDP Server Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Asterisk-pjsip-Endpoint-Presence-Disclosure CVE-2018-12227 SIP-UDP_Asterisk-pjsip-Endpoint-Presence-Disclosure Potential Compromise

Other Binary File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High RARLAB-WinRAR-ACE-Remote-Code-Execution CVE-2018-20250 File-Binary_RARLAB-WinRAR-ACE-Remote-Code-Execution Suspected Compromise
High Microsoft-Graphics-Device-Interface-Information-Disclosure-CVE-2019-0616 CVE-2019-0616 File-Binary_Microsoft-Graphics-Device-Interface-Information-Disclosure-CVE-2019-0616 Suspected Compromise

PDF File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Adobe-Acrobat-And-Reader-PDF-XML-Stylesheet-Information-Disclosure CVE-2019-7089 File-PDF_Adobe-Acrobat-And-Reader-PDF-XML-Stylesheet-Information-Disclosure Potential Compromise
High Foxit-Quick-PDF-Library-CVE-2018-20247-Denial-Of-Service CVE-2018-20247 File-PDF_Foxit-Quick-PDF-Library-CVE-2018-20247-Denial-Of-Service Suspected Compromise

Identified Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High LibreOffice-Macro-Event-Remote-Code-Execution CVE-2018-16858 File-TextId_LibreOffice-Macro-Event-Remote-Code-Execution Suspected Compromise

RFB Server Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Libvnc-LibVNCClient-Heap-Based-Buffer-Overflow CVE-2018-20020 RFB_SS-Libvnc-LibVNCClient-Heap-Based-Buffer-Overflow Suspected Compromise

UPDATED DETECTED ATTACKS:

HTTPS Server Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
Critical Weak-Diffie-Hellman-Parameters CVE-2015-4000 HTTPS_SS-Very-Short-Diffie-Hellman-Prime Suspected Disclosure
Fingerprint regexp changed

TCP Client Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
Low Generic-Shared-Variables No CVE/CAN Generic_CS-Shared-Variable-Fingerprints System Inspections
Fingerprint regexp changed
High Sun-Java-Web-Console-Login-Format-String-Vulnerability CVE-2007-1681 Generic_CS-Sun-Java-Web-Console-Login-Format-String-Vulnerability Potential Compromise
Fingerprint regexp changed

TCP Server Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Git-Submodules-Directory-Traversal CVE-2018-11235 Generic_SS-Git-Submodules-Directory-Traversal Suspected Compromise
Name: Generic_CS-Git-Submodules-Directory-Traversal->Generic_SS-Git-Submodules-Directory-Traversal

LIST OF OTHER CHANGES

NEW OBJECTS:
TypeName
CategoryZeroMQ libzmq
CategoryOracle GoldenGate Manager
CategoryNuxeo
CategoryLibVNCClient
CategoryLAquis SCADA
CategoryFoxit Software Quick PDF Library
CategoryBusyBox
ApplicationTikTok
SituationHTTPS_SS-Breakingpoint-Generated-TLS-Server-Hello-Message
SituationHTTP_CRL-Script-In-URL-Parameters
SituationFile_Cryptonight-Miner-Binary-SHA1
UPDATED OBJECTS:
TypeNameChanges
Network ElementTOR exit nodes
SituationFile-Text_Obfuscated-Evaluated-Script-Content
Fingerprint regexp changed
SituationURL_List-Coinhive-Monero-Javascript-Miner
Detection mechanism updated
SituationURL_List-Known-Hostile-URL
Detection mechanism updated
IPListMicrosoft Azure datacenter CANADAEAST
IPListMicrosoft Azure datacenter
IPListMicrosoft Azure datacenter ASIASOUTHEAST
IPListMicrosoft Azure datacenter USCENTRAL
IPListTOR relay nodes IP Address List
IPListMicrosoft Azure datacenter JAPANEAST
IPListAkamai Servers
IPListMicrosoft Azure datacenter UKSOUTH
IPListMicrosoft Azure datacenter INDIAWEST
IPListMicrosoft Azure datacenter EUROPENORTH
IPListRansomware Payment Site IP Address List
IPListMicrosoft Azure datacenter AUSTRALIAEAST
IPListMicrosoft Azure datacenter USWEST
IPListTOR exit nodes IP Address List
IPListAmazon AMAZON
IPListMicrosoft Azure datacenter USEAST2
IPListMicrosoft Azure datacenter USSOUTH
IPListGoogle Servers
Update ServiceDefault License Server

ACTIVATING THE UPDATE PACKAGE

1.    Ensure that the SHA256 checksum of the update package are correct.
2.    Open Admin Tools in the SMC GUI client.
3.    Right-click on the Updates folder and select "Import Update Packages".
4.    Right-click on the imported package and select Activate.
5.    Reinstall the system policy to take the changes into use. Custom policies may require manual updating.

DISCLAIMER AND COPYRIGHT

The information in this document is provided only for educational purposes and for the convenience of Forcepoint customers. The information contained herein is subject to change without notice, and is provided "AS IS" without guarantee or warranty as to the accuracy or applicability of the information to any specific situation, circumstance, or system configuration - use at your own risk. Forcepoint does not warrant or endorse any third-party products described herein. Forcepoint™ is a trademark of Forcepoint, LLC. SureView®, ThreatSeeker®, Triton®, Sidewinder®, and Stonesoft® are registered trademarks of Forcepoint, LLC. Raytheon® is a registered trademark of Raytheon Company. All other trademarks and registered trademarks are the property of their respective owners. Copyright © 2000-2019 Forcepoint LLC. All rights reserved.