RELEASE NOTES FOR UPDATE PACKAGE 1199-5242

RELEASE DATE:	Tuesday November 05, 2019
MD5 CHECKSUM:	69d997f8766cedcbf563fb2ed88794f4
SHA1 CHECKSUM:	b62f19e1cb9432a56e690ac5cb101e4859008273
SHA256 CHECKSUM:	cc3afb531e4c1a446c5437fd50a8c9d07fa9582850f5e1b23269dfcb2a3ee625

UPDATE CRITICALITY: HIGH

MINIMUM SOFTWARE VERSIONS

- Forcepoint NGFW Security Management Center:	5.10.1.10027
- Forcepoint NGFW:	5.5.1.9848

This update package improves the detection capabilities of the Forcepoint NGFW system.

List of detected attacks in this update package:

Risk level	Description	Reference	Vulnerability
High	An attempt to exploit a vulnerability in File Sharing Wizard detected	CVE-2019-16724	File-Sharing-Wizard-POST-SEH-Buffer-Overflow
High	An attempt to exploit a vulnerability in OpenEMR detected	CVE-2019-8368	Openemr-Facility_admin.php-Cross-Site-Scripting
High	An attempt to exploit a vulnerability in Total.js CMS detected	CVE-2019-15954	Total-JS-CMS-12-Widget-JavaScript-Code-Injection
High	An attempt to exploit a vulnerability in YouPHPTube detected	CVE-2019-16124	YouPHPTube-Checkconfiguration.php-Remote-Code-Execution
High	An attempt to exploit a vulnerability in Adobe Systems Acrobat 2017 detected	CVE-2019-7109	Adobe-Acrobat-Joboptions-File-Parsing-Out-Of-Bounds-Read-CVE-2019-7109

Detected Attacks
Other Changes

DETECTED ATTACKS

NEW DETECTED ATTACKS:

HTTP Client Stream

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	File-Sharing-Wizard-POST-SEH-Buffer-Overflow	CVE-2019-16724	HTTP_CS-File-Sharing-Wizard-POST-SEH-Buffer-Overflow	Suspected Compromise

HTTP Request URI

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	Openemr-Facility_admin.php-Cross-Site-Scripting	CVE-2019-8368	HTTP_CSU-Openemr-Facility_admin.php-Cross-Site-Scripting	Suspected Compromise

HTTP Normalized Request-Line

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	Total-JS-CMS-12-Widget-JavaScript-Code-Injection	CVE-2019-15954	HTTP_CRL-Total-JS-CMS-12-Widget-JavaScript-Code-Injection	Suspected Compromise
High	YouPHPTube-Checkconfiguration.php-Remote-Code-Execution	CVE-2019-16124	HTTP_CRL-YouPHPTube-Checkconfiguration.php-Remote-Code-Execution	Suspected Compromise

Text File Stream

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	Adobe-Acrobat-Joboptions-File-Parsing-Out-Of-Bounds-Read-CVE-2019-7109	CVE-2019-7109	File-Text_Adobe-Acrobat-Joboptions-File-Parsing-Out-Of-Bounds-Read-CVE-2019-7109	Suspected Compromise

UPDATED DETECTED ATTACKS:

UDP Packet Unknown

Risk

Vulnerability/Situation

References

Related Fingerprint

Situation Type

Change Description

High

Curl-And-Libcurl-TFTP-OACK-blksize-Heap-Buffer-Overflow

CVE-2019-5482

Generic_UDP-Curl-And-Libcurl-TFTP-OACK-blksize-Heap-Buffer-Overflow

Suspected Compromise

Name: HTTP_CS-Curl-And-Libcurl-TFTP-OACK-blksize-Heap-Buffer-Overflow->Generic_UDP-Curl-And-Libcurl-TFTP-OACK-blksize-Heap-Buffer-Overflow

Description has changed

Category tag group UDP Correlation Dependency Group added

Category tag group HTTP Correlation Dependency Group removed

Category tag group TCP Correlation Dependency Group removed

Category tag group TCP Client Traffic removed

Context has changed from HTTP Client Stream to UDP Packet Unknown

HTTP Client Stream

Risk

Vulnerability/Situation

References

Related Fingerprint

Situation Type

Change Description

High

Netwin-SurgeMail-Webmail-Multiple-Header-Memory-Corruption

CVE-2008-1054

HTTP_CS-Netwin-SurgeMail-Header-Line-BOF

Potential Compromise

Fingerprint regexp changed

IMAP Client Stream

Risk

Vulnerability/Situation

References

Related Fingerprint

Situation Type

Change Description

High

Dovecot-And-Pigeonhole-Remote-Code-Execution

CVE-2019-11500

IMAP_CS-Dovecot-And-Pigeonhole-Remote-Code-Execution

Suspected Compromise

Fingerprint regexp changed

TCP Client Stream Unknown

Risk

Vulnerability/Situation

References

Related Fingerprint

Situation Type

Change Description

Low

ThinVNC-Directory-Traversal

CVE-2019-17662

Generic_HTTP-URI-Directory-Traversal

Potential Disclosure

Description has changed

Category tag group CVE2019 added

HTTP Request Header Line

Risk

Vulnerability/Situation

References

Related Fingerprint

Situation Type

Change Description

Low

Generic-Shared-Variables

No CVE/CAN

HTTP_CSH-Shared-Variables

System Inspections

Fingerprint regexp changed

Low

Apache-Byte-Range-Filter-Denial-Of-Service

CVE-2005-2728

HTTP_CSH-Apache-Byte-Range-Filter-Denial-Of-Service

Potential Denial of Service

Fingerprint regexp changed

High

HTTP-Code-Injection-Attack-Tool

No CVE/CAN

HTTP_CSH-TSL-Attack-Tool-Detected

Suspected Attack Related Anomalies

Fingerprint regexp changed

TFTP Client Stream

Risk

Vulnerability/Situation

References

Related Fingerprint

Situation Type

Change Description

High

Curl-And-Libcurl-TFTP-blksize-Heap-Buffer-Overflow

CVE-2019-5436

TFTP_CS-HP-Intelligent-Management-Center-TFTP-Server-Data-And-Error-Packet-BOF

Suspected Compromise

Description has changed

Category tag group CVE2019 added

HTTP Normalized Request-Line

Risk

Vulnerability/Situation

References

Related Fingerprint

Situation Type

Change Description

High

HPE-IMC-Customreporttemplateselectbean-Expression-Language-Injection

CVE-2019-5373

HTTP_CRL-HPE-IMC-Customreporttemplateselectbean-Expression-Language-Injection

Suspected Compromise

Name: HTTP_CSU-HPE-IMC-Customreporttemplateselectbean-Expression-Language-Injection->HTTP_CRL-HPE-IMC-Customreporttemplateselectbean-Expression-Language-Injection

Category tag group TCP Correlation Dependency Group removed

Category tag group HTTP URI Correlation Dependency Group removed

Context has changed from HTTP Request URI to HTTP Normalized Request-Line

LIST OF OTHER CHANGES

NEW OBJECTS:

Type	Name
Category	ThinVNC
Category	File Sharing Wizard
Situation	Standby Management Server exclusion.
Application	NATS
Situation	HTTP2_Frame-Type-WINDOW_UPDATE
Situation	HTTP2_Frame-Type-SETTINGS
Situation	HTTP2_Frame-Type-RST_STREAM
Situation	HTTP2_Frame-Type-PRIORITY
Situation	HTTP2_Frame-Type-PING
Situation	IP_SAP_Cloud_Platform
Situation	IP_Microsoft_Intune
Situation	URLList 3211267
IPList	SAP Cloud Platform IP Address List
IPList	Microsoft Intune IP Address List

UPDATED OBJECTS:

Type

Name

Changes

Network Element

TOR exit nodes

Situation

URL_List-Known-Hostile-URL

Detection mechanism updated

IPList

Spotify

IPList

Microsoft Azure datacenter

IPList

Microsoft Azure datacenter ASIASOUTHEAST

IPList

Netflix Servers

IPList

Microsoft Azure datacenter USNORTH

IPList

Microsoft Azure datacenter USCENTRAL

IPList

TOR relay nodes IP Address List

IPList

Microsoft Azure datacenter USCENTRALEUAP

IPList

Amazon EC2

IPList

Akamai Servers

IPList

Microsoft Azure datacenter USEAST2EUAP

IPList

Microsoft Azure datacenter USEAST

IPList

Amazon CLOUDFRONT

IPList

Microsoft Azure datacenter USWEST

IPList

TOR exit nodes IP Address List

IPList

Microsoft Azure datacenter USWESTCENTRAL

IPList

Amazon AMAZON

IPList

Microsoft Azure datacenter USEAST2

IPList

Microsoft Azure datacenter USSOUTH

IPList

Amazon GLOBALACCELERATOR

IPList

Microsoft Azure datacenter EUROPEWEST

IPList

Microsoft Azure datacenter USWEST2

ACTIVATING THE UPDATE PACKAGE

1.	Ensure that the SHA256 checksum of the update package are correct.
2.	Open Admin Tools in the SMC GUI client.
3.	Right-click on the Updates folder and select "Import Update Packages".
4.	Right-click on the imported package and select Activate.
5.	Reinstall the system policy to take the changes into use. Custom policies may require manual updating.

DISCLAIMER AND COPYRIGHT

The information in this document is provided only for educational purposes and for the convenience of Forcepoint customers. The information contained herein is subject to change without notice, and is provided "AS IS" without guarantee or warranty as to the accuracy or applicability of the information to any specific situation, circumstance, or system configuration - use at your own risk. Forcepoint does not warrant or endorse any third-party products described herein. Forcepoint™ is a trademark of Forcepoint, LLC. SureView®, ThreatSeeker®, Triton®, Sidewinder®, and Stonesoft® are registered trademarks of Forcepoint, LLC. Raytheon® is a registered trademark of Raytheon Company. All other trademarks and registered trademarks are the property of their respective owners. Copyright © 2000-2019 Forcepoint LLC. All rights reserved.