RELEASE NOTES FOR UPDATE PACKAGE 1190-5242

RELEASE DATE:    Tuesday September 24, 2019
MD5 CHECKSUM:    755fb4ddc0fe97593b4277862b8170ed
SHA1 CHECKSUM:    ca5b5da44579bab4c84540b81cee9b9d289abc04
SHA256 CHECKSUM:    5ecde322e4ffcaf4894bdcd302a0874ce10c69c55219367629f2a80115fbe3f2

UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Forcepoint NGFW Security Management Center:    5.10.1.10027
- Forcepoint NGFW:    5.5.1.9848

This update package improves the detection capabilities of the Forcepoint NGFW system.

List of detected attacks in this update package:
Risk levelDescriptionReferenceVulnerability
High     An attempt to exploit a vulnerability in Samba detected     CVE-2019-12436     Samba-LDAP-Ad-Dc-Paged-Search-DoS
High     An attempt to exploit a vulnerability in Squid detected     CVE-2019-12525     Squid-Proxy-Digest-Authentication-Denial-Of-Service
High     An attempt to exploit a vulnerability in LibreNMS detected     CVE-2019-10669     LibreNMS-Collectd-Command-Injection
High     An attempt to exploit a vulnerability in Jenkins Groovy Plugin detected     CVE-2019-1003001     Jenkins-Ci-Server-Groovy-Pipeline-Remote-Code-Execution
High     An attempt to exploit a vulnerability in Microsoft Windows Remote Desktop Services detected     CVE-2019-1182     Microsoft-Windows-Remote-Desktop-Services-Heap-Buffer-Overflow
High     An attempt to exploit a vulnerability in Microsoft Windows detected     CVE-2019-0891     Microsoft-Windows-Jet-Database-CVE-2019-0891-Remote-Code-Execution

Detected Attacks
System Policies
Other Changes

DETECTED ATTACKS

NEW DETECTED ATTACKS:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Squid-Proxy-Digest-Authentication-Denial-Of-Service CVE-2019-12525 HTTP_CS-Squid-Proxy-Digest-Authentication-Denial-Of-Service Suspected Compromise

TCP Client Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Microsoft-Windows-Remote-Desktop-Services-Heap-Buffer-Overflow CVE-2019-1182 Generic_CS-Microsoft-Windows-Remote-Desktop-Services-Heap-Buffer-Overflow Suspected Compromise

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High LibreNMS-Collectd-Command-Injection CVE-2019-10669 HTTP_CSU-LibreNMS-Collectd-Command-Injection Suspected Compromise
High Jenkins-Ci-Server-Groovy-Pipeline-Remote-Code-Execution CVE-2019-1003001 HTTP_CSU-Jenkins-Ci-Server-Groovy-Pipeline-Remote-Code-Execution Suspected Compromise

LDAP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Samba-LDAP-Ad-Dc-Paged-Search-DoS CVE-2019-12436 LDAP_CS-Samba-LDAP-Ad-Dc-Paged-Search-DoS Suspected Compromise

Other Binary File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Microsoft-Windows-Jet-Database-CVE-2019-0891-Remote-Code-Execution CVE-2019-0891 File-Binary_Microsoft-Windows-Jet-Database-CVE-2019-0891-Remote-Code-Execution Suspected Compromise

UPDATED DETECTED ATTACKS:

UDP Packet Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High HNS-Botnet-C2-Traffic No CVE/CAN Generic_UDP-HNS-Botnet-C2-Traffic Suspected Botnet
Category tag situation Suspected Botnet added
Category tag group UDP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Pony-Downloader-C2-Traffic No CVE/CAN HTTP_CS-Pony-Downloader-C2-Traffic Suspected Botnet
Category tag situation Suspected Botnet added
Category tag group HTTP Correlation Dependency Group added
Category tag group TCP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed
High TinyNuke-Malware-C2-Traffic No CVE/CAN HTTP_CS-TinyNuke-Malware-C2-Traffic Potential Botnet
Category tag situation Potential Botnet added
Category tag group HTTP Correlation Dependency Group added
Category tag group TCP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed
High AZORult-Stealer-C2-Traffic No CVE/CAN HTTP_CS-AZORult-Stealer-C2-Traffic Botnet
Category tag situation Botnet added
Category tag group HTTP Correlation Dependency Group added
Category tag group TCP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed
High Loki-Bot-C2-Traffic No CVE/CAN HTTP_CS-Loki-Bot-C2-Traffic Botnet
Category tag situation Botnet added
Category tag group HTTP Correlation Dependency Group added
Category tag group TCP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed

TCP Client Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High LuminosityLink-RAT-C2-Traffic No CVE/CAN Generic_TCP-LuminosityLink-RAT-C2-Traffic Botnet
Category tag situation Botnet added
Category tag group TCP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed
High Generic_CS-FlawedAmmyy-RAT-C2-Traffic No CVE/CAN Generic_CS-FlawedAmmyy-RAT-C2-Traffic Botnet
Category tag situation Botnet added
Category tag group TCP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed
High DanaBot-C2-Traffic No CVE/CAN Generic_CS-DanaBot-C2-Traffic Suspected Botnet
Category tag situation Suspected Botnet added
Category tag group TCP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed
High DarkVNC-C2-Traffic No CVE/CAN Generic_TCP-DarkVNC-C2-Traffic Botnet
Category tag situation Botnet added
Category tag group TCP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed
High RevengeRAT-Malware-C2-Traffic No CVE/CAN Generic_CS-RevengeRAT-Malware-C2-Traffic Botnet
Category tag situation Botnet added
Category tag group TCP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed
High AveMaria-Stealer-C2-Traffic No CVE/CAN Generic_CS-AveMaria-Stealer-C2-Traffic Suspected Botnet
Category tag situation Suspected Botnet added
Category tag group TCP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed
High Remcos-RAT-C2-Traffic No CVE/CAN Generic_CS-Remcos-RAT-C2-Traffic Suspected Botnet
Category tag situation Suspected Botnet added
Category tag group TCP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed
High NanoCore-RAT-C2-Traffic No CVE/CAN Generic_CS_NanoCore-RAT-C2-Traffic Suspected Botnet
Category tag situation Suspected Botnet added
Category tag group TCP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed

TCP Server Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Virut-Malware-C2-Traffic No CVE/CAN Generic_SS-Virut-Malware-C2-Traffic Suspected Botnet
Category tag situation Suspected Botnet added
Category tag group TCP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High LogPOS-Malware No CVE/CAN HTTP_CSU-LogPOS-Malware-Traffic-Detected Botnet
Category tag situation Botnet added
Category tag group HTTP Correlation Dependency Group added
Category tag group TCP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed
High SideWinder-APT-C2-Traffic No CVE/CAN HTTP_CSU-SideWinder-APT-C2-Traffic Suspected Botnet
Category tag situation Suspected Botnet added
Category tag group HTTP Correlation Dependency Group added
Category tag group TCP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed
High KeyBase-Keylogger-C2-Traffic No CVE/CAN HTTP_CSU-KeyBase-Keylogger-C2-Traffic Botnet
Category tag situation Botnet added
Category tag group HTTP Correlation Dependency Group added
Category tag group TCP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed
High Saefko-RAT-C2-Traffic No CVE/CAN HTTP_CSU-Saefko-RAT-C2-Traffic Suspected Botnet
Category tag situation Suspected Botnet added
Category tag group HTTP Correlation Dependency Group added
Category tag group TCP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed
High Predator-The-Thief-C2-Traffic No CVE/CAN HTTP_CSU-Predator-The-Thief-C2-Traffic Suspected Botnet
Category tag situation Suspected Botnet added
Category tag group HTTP Correlation Dependency Group added
Category tag group TCP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed
High ARS-VBS-Loader-C2-Traffic No CVE/CAN HTTP_CSU-ARS-VBS-Loader-C2-Traffic Botnet
Category tag situation Botnet added
Category tag group HTTP Correlation Dependency Group added
Category tag group TCP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed

E-Mail Header Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Agent-Tesla-SMTP-Traffic No CVE/CAN E-Mail_Agent-Tesla-SMTP-Traffic Suspected Botnet
Category tag situation Suspected Botnet added
Category tag group TCP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed

HTTP Request Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High ISR-Stealer-C2-Traffic No CVE/CAN HTTP_CSH-ISR-Stealer-C2-Traffic Botnet
Category tag situation Botnet added
Category tag group HTTP Correlation Dependency Group added
Category tag group TCP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Pulse-Secure-Diag.cgi-Command-Injection CVE-2019-11539 HTTP_CRL-Pulse-Secure-Diag.cgi-Command-Injection Suspected Compromise
Fingerprint regexp changed
High Linux-Backdoor-C2-Traffic No CVE/CAN HTTP_CRL-Linux-Backdoor-C2-Traffic Botnet
Category tag situation Botnet added
Category tag group HTTP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed
High RevCode-RAT-C2-Traffic No CVE/CAN HTTP_CRL-RevCode-RAT-C2-Traffic Suspected Botnet
Category tag situation Suspected Botnet added
Category tag group HTTP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed
High Agent-Tesla-C2-Traffic No CVE/CAN HTTP_CRL-Agent-Tesla-C2-Traffic Botnet
Category tag situation Botnet added
Category tag group HTTP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed
High OpenSSH-Backdoor-C2-Traffic No CVE/CAN HTTP_CRL-OpenSSH-Backdoor-C2-Traffic Potential Botnet
Category tag situation Potential Botnet added
Category tag group HTTP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed
High Hancitor-C2-Traffic No CVE/CAN HTTP_CRL-Hancitor-C2-Traffic Botnet
Category tag situation Botnet added
Category tag group HTTP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed
High Ekeoil-Malware-C2-Traffic No CVE/CAN HTTP_CRL-Ekeoil-Malware-C2-Traffic Suspected Botnet
Category tag situation Suspected Botnet added
Category tag group HTTP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Virut-Malware-C2-Traffic No CVE/CAN File-Text_Virut-Malware-C2-Traffic Suspected Botnet
Category tag situation Suspected Botnet added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed

SYSTEM POLICY CHANGES

UPDATED POLICIES:
NameChanges
Medium-Security Inspection Template
Customized High-Security Inspection Policy
High-Security Inspection Template
Highest-Security Inspection Template

LIST OF OTHER CHANGES

NEW OBJECTS:
TypeName
CategorySuspected Botnet
CategoryPotential Botnet
CategoryLibreNMS
SituationFallout New Vegas
VPN ProfileForcepoint Cloud Connection
UPDATED OBJECTS:
TypeNameChanges
CategoryBotnet
Network ElementTOR exit nodes
Protocol AgentDNS
ServiceDNS (UDP with SafeSearch)
SituationHTTP_CRL-Banker-Trojan-Keylogger
Category tag situation Botnet added
Category tag group HTTP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Spyware, Malware and Adware removed
IPListÅland
IPListBulgaria
IPListMauritius
IPListIceland
IPListIndia
IPListBurkina Faso
IPListGuinea-Bissau
IPListCyprus
IPListPalau
IPListFrance
IPListSint Maarten
IPListGabon
IPListSouth Korea
IPListCosta Rica
IPListBelgium
IPListNiue
IPListTanzania
IPListLebanon
IPListBotswana
IPListTurkey
IPListHeard Island and McDonald Islands
IPListLiberia
IPListMongolia
IPListRéunion
IPListSlovakia
IPListUkraine
IPListKenya
IPListEthiopia
IPListMorocco
IPListGuernsey
IPListUnited States
IPListRepublic of Lithuania
IPListBelize
IPListGermany
IPListGambia
IPListEstonia
IPListMarshall Islands
IPListCameroon
IPListBouvet Island
IPListGrenada
IPListCanada
IPListSt Kitts and Nevis
IPListRwanda
IPListEritrea
IPListEquatorial Guinea
IPListNicaragua
IPListBarbados
IPListMadagascar
IPListBolivia
IPListTOR relay nodes IP Address List
IPListSouth Africa
IPListU.S. Virgin Islands
IPListDemocratic Republic of Timor-Leste
IPListSaint Martin
IPListSri Lanka
IPListCambodia
IPListSaint Helena
IPListCayman Islands
IPListArgentina
IPListPoland
IPListPapua New Guinea
IPListJapan
IPListMexico
IPListBermuda
IPListPortugal
IPListSierra Leone
IPListUganda
IPListParaguay
IPListWestern Sahara
IPListFiji
IPListMayotte
IPListPeru
IPListNorth Korea
IPListTunisia
IPListLatvia
IPListNauru
IPListLuxembourg
IPListVenezuela
IPListGreenland
IPListU.S. Minor Outlying Islands
IPListHonduras
IPListSvalbard and Jan Mayen
IPListTokelau
IPListBhutan
IPListIndonesia
IPListUnited Arab Emirates
IPListCuba
IPListSpain
IPListPuerto Rico
IPListMontserrat
IPListGuadeloupe
IPListSouth Sudan
IPListBritish Indian Ocean Territory
IPListNigeria
IPListThailand
IPListLesotho
IPListCuraçao
IPListItaly
IPListNorth Macedonia
IPListEcuador
IPListLibya
IPListGuatemala
IPListMaldives
IPListSudan
IPListSouth Georgia and the South Sandwich Islands
IPListBrazil
IPListDominica
IPListAlbania
IPListTrinidad and Tobago
IPListEgypt
IPListPanama
IPListIsrael
IPListSomalia
IPListRussia
IPListChile
IPListAustria
IPListMyanmar
IPListAntarctica
IPListAnguilla
IPListHungary
IPListGreece
IPListYemen
IPListHaiti
IPListSerbia
IPListTurkmenistan
IPListGeorgia
IPListNew Caledonia
IPListAlgeria
IPListPakistan
IPListVatican City
IPListSuriname
IPListAngola
IPListKyrgyzstan
IPListFinland
IPListDominican Republic
IPListRepublic of the Congo
IPListGuyana
IPListSaint Lucia
IPListIran
IPListNiger
IPListCocos [Keeling] Islands
IPListBahamas
IPListBonaire, Sint Eustatius, and Saba
IPListAzerbaijan
IPListSwitzerland
IPListBangladesh
IPListNorfolk Island
IPListCabo Verde
IPListBelarus
IPListOman
IPListIvory Coast
IPListKuwait
IPListVanuatu
IPListSlovenia
IPListEl Salvador
IPListChristmas Island
IPListFrench Southern Territories
IPListKazakhstan
IPListMartinique
IPListSolomon Islands
IPListRomania
IPListSyria
IPListJamaica
IPListFederated States of Micronesia
IPListTOR exit nodes IP Address List
IPListFalkland Islands
IPListUzbekistan
IPListHong Kong
IPListCroatia
IPListKosovo
IPListCongo
IPListSaint Vincent and the Grenadines
IPListSão Tomé and Príncipe
IPListIraq
IPListSweden
IPListFrench Guiana
IPListUnited Kingdom
IPListMalta
IPListSingapore
IPListBurundi
IPListGhana
IPListMalawi
IPListHashemite Kingdom of Jordan
IPListIreland
IPListNepal
IPListAndorra
IPListMacao
IPListVietnam
IPListJersey
IPListChina
IPListTogo
IPListZimbabwe
IPListGibraltar
IPListNetherlands
IPListBenin
IPListBosnia and Herzegovina
IPListTaiwan
IPListMozambique
IPListNamibia
IPListAustralia
IPListZambia
IPListMauritania
IPListMonaco
IPListComoros
IPListBritish Virgin Islands
IPListSaint Barthélemy
IPListArmenia
IPListSaint Pierre and Miquelon
IPListCentral African Republic
IPListIsle of Man
IPListMali
IPListFaroe Islands
IPListMontenegro
IPListQatar
IPListChad
IPListDenmark
IPListGuinea
IPListColombia
IPListWallis and Futuna
IPListAntigua and Barbuda
IPListNorway
IPListFrench Polynesia
IPListUruguay
IPListKiribati
IPListGuam
IPListTuvalu
IPListNew Zealand
IPListEswatini
IPListMalaysia
IPListRepublic of Moldova
IPListCook Islands
IPListPitcairn Islands
IPListCzechia
IPListSamoa
IPListTurks and Caicos Islands
IPListBrunei
IPListDjibouti
IPListBahrain
IPListAfghanistan
IPListTajikistan
IPListPalestine
IPListPhilippines
IPListAruba
IPListSan Marino
IPListLaos
IPListSenegal
IPListTonga
IPListSeychelles
IPListAmerican Samoa
IPListSaudi Arabia
IPListNorthern Mariana Islands
IPListLiechtenstein

ACTIVATING THE UPDATE PACKAGE

1.    Ensure that the SHA256 checksum of the update package are correct.
2.    Open Admin Tools in the SMC GUI client.
3.    Right-click on the Updates folder and select "Import Update Packages".
4.    Right-click on the imported package and select Activate.
5.    Reinstall the system policy to take the changes into use. Custom policies may require manual updating.

DISCLAIMER AND COPYRIGHT

The information in this document is provided only for educational purposes and for the convenience of Forcepoint customers. The information contained herein is subject to change without notice, and is provided "AS IS" without guarantee or warranty as to the accuracy or applicability of the information to any specific situation, circumstance, or system configuration - use at your own risk. Forcepoint does not warrant or endorse any third-party products described herein. Forcepoint™ is a trademark of Forcepoint, LLC. SureView®, ThreatSeeker®, Triton®, Sidewinder®, and Stonesoft® are registered trademarks of Forcepoint, LLC. Raytheon® is a registered trademark of Raytheon Company. All other trademarks and registered trademarks are the property of their respective owners. Copyright © 2000-2019 Forcepoint LLC. All rights reserved.