RELEASE NOTES FOR UPDATE PACKAGE 1189-5242

RELEASE DATE:    Friday September 20, 2019
MD5 CHECKSUM:    405a2496ef1b4ccce82d87003bbd1a6b
SHA1 CHECKSUM:    7466b984759d6f5cb8ee3b2f8ba113fce7933347
SHA256 CHECKSUM:    9c869f7f906ccb909de8f823cd2a590eb797a05d232e621804fac1cb1e4160cf

UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Forcepoint NGFW Security Management Center:    5.10.1.10027
- Forcepoint NGFW:    5.5.1.9848

This update package improves the detection capabilities of the Forcepoint NGFW system.

List of detected attacks in this update package:
Risk levelDescriptionReferenceVulnerability
High     An attempt to exploit a vulnerability in Advantech WebAccess detected     CVE-2019-6550     Advantech-WebAccess-SCADA-Bwthinfl-Stack-Based-Buffer-Overflow
High     An attempt to exploit a vulnerability in Dovecot detected     CVE-2019-11500     Dovecot-And-Pigeonhole-Remote-Code-Execution
High     An attempt to exploit a vulnerability in Adobe Systems Acrobat 2017 detected     CVE-2019-7110     Adobe-Acrobat-Joboptions-File-Parsing-Out-Of-Bounds-Read
High     An attempt to exploit a vulnerability in OpenEMR Development Team OpenEMR detected     CVE-2019-14530     Openemr-Ajax_Download.php-Directory-Traversal
High     An attempt to exploit a vulnerability in Pulse Connect Secure detected     CVE-2019-11539     Pulse-Secure-Diag.cgi-Command-Injection
High     An attempt to exploit a vulnerability in HP Intelligent Management Center detected     CVE-2019-5374     HPE-IMC-Operatorgrouptreeselectbean-Expression-Language-Injection
High     An attempt to exploit a vulnerability in Atlassian Confluence Server detected     CVE-2019-3394     Atlassian-Confluence-Server-Packageresourcemanager-Information-Disclosure
High     An attempt to exploit a vulnerability in atftp TFTP Server detected     CVE-2019-11365     Atftp-TFTP-Server-Error-Packet-DoS
High     An attempt to exploit a vulnerability in SolarWinds DameWare Mini Remote Control detected     CVE-2019-3956     Solarwinds-Dameware-Mini-Remote-Control-CltDHPubKeyLen-Out-of-Bounds-Read
High     An attempt to exploit a vulnerability in Microsoft Windows detected     CVE-2019-1242     Microsoft-Windows-Jet-Database-CVE-2019-1242-Remote-Code-Execution

Detected Attacks
Other Changes

DETECTED ATTACKS

NEW DETECTED ATTACKS:

UDP Packet Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Atftp-TFTP-Server-Error-Packet-DoS CVE-2019-11365 Generic_UDP-Atftp-TFTP-Server-Error-Packet-DoS Suspected Compromise

TCP MSRPC Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Advantech-WebAccess-SCADA-Bwthinfl-Stack-Based-Buffer-Overflow CVE-2019-6550 MSRPC-TCP_Advantech-WebAccess-SCADA-Bwthinfl-Stack-Based-Buffer-Overflow Suspected Compromise

IMAP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Dovecot-And-Pigeonhole-Remote-Code-Execution CVE-2019-11500 IMAP_CS-Dovecot-And-Pigeonhole-Remote-Code-Execution Suspected Compromise

TCP Client Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Solarwinds-Dameware-Mini-Remote-Control-CltDHPubKeyLen-Out-of-Bounds-Read CVE-2019-3956 Generic_CS-Solarwinds-Dameware-Mini-Remote-Control-CltDHPubKeyLen-Out-of-Bounds-Read Suspected Compromise

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Openemr-Ajax_Download.php-Directory-Traversal CVE-2019-14530 HTTP_CSU-Openemr-Ajax_Download.php-Directory-Traversal Suspected Compromise

HTTP Reply Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Adobe-Acrobat-Joboptions-File-Parsing-Out-Of-Bounds-Read CVE-2019-7110 HTTP_SHS-Adobe-Acrobat-Joboptions-File-Parsing-Out-Of-Bounds-Read Suspected Compromise

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Pulse-Secure-Diag.cgi-Command-Injection CVE-2019-11539 HTTP_CRL-Pulse-Secure-Diag.cgi-Command-Injection Suspected Compromise
High HPE-IMC-Operatorgrouptreeselectbean-Expression-Language-Injection CVE-2019-5374 HTTP_CRL-HPE-IMC-Operatorgrouptreeselectbean-Expression-Language-Injection Suspected Compromise
High Atlassian-Confluence-Server-Packageresourcemanager-Information-Disclosure CVE-2019-3394 HTTP_CLR-Atlassian-Confluence-Server-Packageresourcemanager-Information-Disclosure Suspected Compromise

Other Binary File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Microsoft-Windows-Jet-Database-CVE-2019-1242-Remote-Code-Execution CVE-2019-1242 File-Binary_Microsoft-Windows-Jet-Database-CVE-2019-1242-Remote-Code-Execution Suspected Compromise

UPDATED DETECTED ATTACKS:

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High ABB-Panel-Builder-800-Comli-Commandlineoptions-Stack-Based-Buffer-Overflow CVE-2018-10616 File-Text_ABB-Panel-Builder-800-Comli-Commandlineoptions-Stack-Based-Buffer-Overflow Suspected Compromise
Fingerprint regexp changed

Other Binary File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Delta-Industrial-Automation-CNCSoft-Screeneditor-Stack-Buffer-Overflow CVE-2019-10947 File-Binary_Delta-Industrial-Automation-CNCSoft-Screeneditor-Stack-Buffer-Overflow Suspected Compromise
Fingerprint regexp changed

LIST OF OTHER CHANGES

NEW OBJECTS:
TypeName
SituationProtonVPN
SituationForcepoint One Endpoint
ApplicationOpera VPN
ApplicationGodaddy-CRL
SituationHTTP_Server-Hostile-Use-of-Header-Line-Folding
SituationHTTP_Client-Hostile-Use-of-Header-Line-Folding
SituationURLList 3211266
ApplicationProtonVPN
UPDATED OBJECTS:
TypeNameChanges
Network ElementTOR exit nodes
IPListNetflix Servers
IPListTOR relay nodes IP Address List
IPListAmazon EC2
IPListRansomware Payment Site IP Address List
IPListTOR exit nodes IP Address List
IPListAmazon AMAZON
IPListAmazon GLOBALACCELERATOR
IPListGoogle Servers

ACTIVATING THE UPDATE PACKAGE

1.    Ensure that the SHA256 checksum of the update package are correct.
2.    Open Admin Tools in the SMC GUI client.
3.    Right-click on the Updates folder and select "Import Update Packages".
4.    Right-click on the imported package and select Activate.
5.    Reinstall the system policy to take the changes into use. Custom policies may require manual updating.

DISCLAIMER AND COPYRIGHT

The information in this document is provided only for educational purposes and for the convenience of Forcepoint customers. The information contained herein is subject to change without notice, and is provided "AS IS" without guarantee or warranty as to the accuracy or applicability of the information to any specific situation, circumstance, or system configuration - use at your own risk. Forcepoint does not warrant or endorse any third-party products described herein. Forcepoint™ is a trademark of Forcepoint, LLC. SureView®, ThreatSeeker®, Triton®, Sidewinder®, and Stonesoft® are registered trademarks of Forcepoint, LLC. Raytheon® is a registered trademark of Raytheon Company. All other trademarks and registered trademarks are the property of their respective owners. Copyright © 2000-2019 Forcepoint LLC. All rights reserved.