RELEASE NOTES FOR UPDATE PACKAGE 1202-5242

RELEASE DATE:    Friday November 15, 2019
MD5 CHECKSUM:    a7f4e59eca64149b4e70c17eaadb36b9
SHA1 CHECKSUM:    4f0fbb4acdd33a0fe350f2fe2cd2346cc197b3fb
SHA256 CHECKSUM:    00b644b2c58242af45612cb018682c1b2307b5dc9449c8a2e0760b5e799ca121

UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Forcepoint NGFW Security Management Center:    5.10.1.10027
- Forcepoint NGFW:    5.5.1.9848

This update package improves the detection capabilities of the Forcepoint NGFW system.

List of detected attacks in this update package:
Risk levelDescriptionReferenceVulnerability
High     An attempt to exploit a vulnerability in wolfSSL detected     CVE-2019-11873     Wolfssl-Dopresharedkeys-Psk-Identity-Buffer-Overflow
High     An attempt to exploit a vulnerability in Net-SNMP detected     No CVE/CAN Net-SNMP-Write-Access-SNMP-EXTEND-MIB-Arbitrary-Code-Execution
High     An attempt to exploit a vulnerability in rConfig Network Device Configuration Tool detected     CVE-2019-16663     rConfig-Search.crud.php-Command-Injection
High     An attempt to exploit a vulnerability in PHP detected     CVE-2019-11043     PHP-FPM-Init_request_info-Path_Info-Buffer-Underflow
High     Trickbot C2 traffic was detected     No CVE/CAN TrickBot-C2-Traffic
High     An attempt to exploit a vulnerability in YouPHPTube Encoder detected     CVE-2019-5127     YouPHPTube-Encoder-Getimage.php-Command-Injection
High     Suspicious user-agent WinHTTP loader was detected     No CVE/CAN Suspicious-User-Agent-WinHTTP-Loader
High     An attempt to exploit a vulnerability in Netgear DGN1000 detected     No CVE/CAN NetGear-DGN1000-Remote-Command-Execution
High     An attempt to exploit a vulnerability in JAWS detected     No CVE/CAN JAWS-Command-Execution
High     An attempt to exploit a vulnerability in Xymon detected     CVE-2016-2056     Xymon-Useradm-Command-Execution
High     An attempt to exploit a vulnerability in Belkin Wemo detected     No CVE/CAN Belkin-Wemo-UPnP-Remote-Code-Execution
High     An attempt to exploit a vulnerability in WiKID 2FA Enterprise Server detected     CVE-2019-17117     WIKID-2fa-Enterprise-Server-Processpref.jsp-SQL-Injection
High     An attempt to exploit a vulnerability in Oracle WebLogic Server detected     CVE-2019-2888     Oracle-WebLogic-Ejbtaglibdescriptor-External-Entity-Injection
High     An attempt to exploit a vulnerability in Microsoft Windows detected     CVE-2019-1311     Microsoft-Windows-Imaging-API-Use-After-Free
High     Suspicious executable download was detected     No CVE/CAN Suspicious-Executable-Download

Detected Attacks
Other Changes

DETECTED ATTACKS

NEW DETECTED ATTACKS:

TCP Client Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Oracle-WebLogic-Ejbtaglibdescriptor-External-Entity-Injection CVE-2019-2888 Generic_CS-Oracle-WebLogic-Ejbtaglibdescriptor-External-Entity-Injection Suspected Compromise

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High rConfig-Search.crud.php-Command-Injection CVE-2019-16663 HTTP_CSU-rConfig-Search.crud.php-Command-Injection Suspected Compromise
High PHP-FPM-Init_request_info-Path_Info-Buffer-Underflow CVE-2019-11043 HTTP_CSU-PHP-FPM-Init_request_info-Path_Info-Buffer-Underflow Suspected Compromise
High TrickBot-C2-Traffic No CVE/CAN HTTP_CSU-TrickBot-C2-Traffic Botnet
High YouPHPTube-Encoder-Getimage.php-Command-Injection CVE-2019-5127 HTTP_CSU-YouPHPTube-Encoder-Getimage.php-Command-Injection Suspected Compromise

HTTP Request Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Suspicious-User-Agent-WinHTTP-Loader No CVE/CAN HTTP_CSH-Suspicious-User-Agent-WinHTTP-Loader Suspected Compromise

SNMP UDP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Net-SNMP-Write-Access-SNMP-EXTEND-MIB-Arbitrary-Code-Execution No CVE/CAN SNMP-UDP_Net-SNMP-Write-Access-SNMP-EXTEND-MIB-Arbitrary-Code-Execution Suspected Compromise

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High NetGear-DGN1000-Remote-Command-Execution No CVE/CAN HTTP_CRL-NetGear-DGN1000-Remote-Command-Execution Suspected Compromise
High JAWS-Command-Execution No CVE/CAN HTTP_CRL-JAWS-Command-Execution Suspected Compromise
High Xymon-Useradm-Command-Execution CVE-2016-2056 HTTP_CSU-Xymon-Useradm-Command-Execution Suspected Compromise
High Belkin-Wemo-UPnP-Remote-Code-Execution No CVE/CAN HTTP_CSU-Belkin-Wemo-UPnP-Remote-Code-Execution Suspected Compromise
High WIKID-2fa-Enterprise-Server-Processpref.jsp-SQL-Injection CVE-2019-17117 HTTP_CRL-WIKID-2fa-Enterprise-Server-Processpref.jsp-SQL-Injection Suspected Compromise

TLS Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Wolfssl-Dopresharedkeys-Psk-Identity-Buffer-Overflow CVE-2019-11873 TLS_CS-Wolfssl-Dopresharedkeys-Psk-Identity-Buffer-Overflow Suspected Compromise

Other Binary File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Microsoft-Windows-Imaging-API-Use-After-Free CVE-2019-1311 File-Binary_Microsoft-Windows-Imaging-API-Use-After-Free Suspected Compromise

Executable File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Suspicious-Executable-Download No CVE/CAN File-Exe_Suspicious-Executable-Download Potential Compromise

UPDATED DETECTED ATTACKS:

Count

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High MySQL-And-MariaDB-Incorrect-Cast-Policy-Bypass-Vulnerability CVE-2012-2122 Analyzer_MySQL-Brute-Force Suspected Compromise
Description has changed
High Oracle-Mysql-Server-Innodb-Memcached-Plugin-Resource-Exhaustion CVE-2013-1570 Analyzer_MySQL-InnoDB-Memcached-Plugin-Resource-Exhaustion Potential Compromise
Description has changed
Moderate Microsoft-Windows-LSASS-Recursive-Stack-Overflow CVE-2009-1928 Analyzer_Microsoft-Windows-LSASS-Recursive-Stack-Overflow Potential Denial of Service
Comment has changed
High Microsoft-Windows-Remote-Procedure-Call-Vulnerability CVE-2013-3175 Analyzer_Microsoft-Windows-Remote-Procedure-Call-Vulnerability Suspected Compromise
Description has changed
High Apache-Httpd-Range-Header-Field-Memory-Exhaustion CVE-2011-3192 Analyzer_Apache-httpd-Range-Header-Field-Memory-Exhaustion Suspected Compromise
Description has changed
High Isc-Bind-Recursive-Resolver-Resource-Consumption-Denial-Of-Service CVE-2014-8500 Analyzer_ISC-Bind-Denial-of-Service Potential Denial of Service
Description has changed
High LOIC-DoS-Tool No CVE/CAN Analyzer_LOIC-HTTP-Denial-Of-Service Denial of Service
Description has changed

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Microsoft-VBScript-RCE-CVE-2018-8174 CVE-2018-8174 File-Text_Microsoft-VBScript-RCE-CVE-2018-8174-2 Suspected Compromise
Fingerprint regexp changed
Low Generic-Shared-Variables No CVE/CAN File-Text_Shared-Variables System Inspections
Fingerprint regexp changed

LIST OF OTHER CHANGES

NEW OBJECTS:
TypeName
CategoryYouPHPTube Encoder
CategoryXymon
CategoryJAWS
CategoryBelkin Wemo
SituationAnalyzer_Microsoft-Windows-HTTP2-Ping-Flood-Denial-of-Service
SituationFile-RIFF_Synthetic-Test-Fingeprint-Protocol-Violations
SituationFile-RIFF_Synthetic-Test-Fingeprint-Potential-Probe
SituationFile-RIFF_Synthetic-Test-Fingeprint-Potential-Disclosure
SituationFile-RIFF_Synthetic-Test-Fingeprint-Potential-Denial-of-Service
SituationFile-RIFF_Synthetic-Test-Fingeprint-Potential-Botnet
SituationFile-RIFF_Synthetic-Test-Fingeprint-Other-Suspicious-Traffic
SituationFile-RIFF_Synthetic-Test-Fingeprint-Suspected-Probe
SituationFile-RIFF_Synthetic-Test-Fingeprint-Suspected-Disclosure
SituationFile-RIFF_Synthetic-Test-Fingeprint-Suspected-Denial-of-Service
SituationFile-RIFF_Synthetic-Test-Fingeprint-Suspected-Botnet
SituationFile-RIFF_Synthetic-Test-Fingeprint-Suspected-Attack-Related-Anomalies
SituationFile-RIFF_Synthetic-Test-Fingeprint-Spyware-Malware-and-Adware
SituationFile-RIFF_Synthetic-Test-Fingeprint-Successful-Attacks
SituationFile-RIFF_Synthetic-Test-Fingeprint-Probe
SituationFile-RIFF_Synthetic-Test-Fingeprint-Disclosure
SituationFile-RIFF_Synthetic-Test-Fingeprint-Denial-of-Service
SituationFile-RIFF_Synthetic-Test-Fingeprint-Botnet
SituationFile-RIFF_Synthetic-Test-Fingeprint-Attack-Related-Anomalies
UPDATED OBJECTS:
TypeNameChanges
ApplicationForcepoint Test Application: Web Mail
Description has changed
ApplicationForcepoint Test Application: Updates
Description has changed
ApplicationForcepoint Test Application: Tunneling
Description has changed
ApplicationForcepoint Test Application: Travel and Expense
Description has changed
ApplicationForcepoint Test Application: Storage
Description has changed
ApplicationForcepoint Test Application: Statistics
Description has changed
ApplicationForcepoint Test Application: Social Networking
Description has changed
ApplicationForcepoint Test Application: Remote control
Description has changed
ApplicationForcepoint Test Application: Reference
Description has changed
ApplicationForcepoint Test Application: Anonymizers/Proxies
Description has changed
ApplicationForcepoint Test Application: Photo/Video Sharing
Description has changed
ApplicationForcepoint Test Application: P2P
Description has changed
ApplicationForcepoint Test Application: Orienteering
Description has changed
ApplicationForcepoint Test Application: OPC Historical Data Access
Description has changed
ApplicationForcepoint Test Application: OPC Data Access
Description has changed
ApplicationForcepoint Test Application: OPC Auxiliary
Description has changed
ApplicationForcepoint Test Application: OPC Alarms and Events
Description has changed
ApplicationForcepoint Test Application: Office
Description has changed
ApplicationForcepoint Test Application: Miscellaneous
Description has changed
ApplicationForcepoint Test Application: Media
Description has changed
ApplicationForcepoint Test Application: Marketing
Description has changed
ApplicationForcepoint Test Application: Mail
Description has changed
ApplicationForcepoint Test Application: Infrastructure Services
Description has changed
ApplicationForcepoint Test Application: HR
Description has changed
ApplicationForcepoint Test Application: Hosting
Description has changed
ApplicationForcepoint Test Application: Health
Description has changed
ApplicationForcepoint Test Application: Finance
Description has changed
ApplicationForcepoint Test Application: File Sharing
Description has changed
ApplicationForcepoint Test Application: ERP/CRM
Description has changed
ApplicationForcepoint Test Application: Games
Description has changed
ApplicationForcepoint Test Application: Discussion Forum
Description has changed
ApplicationForcepoint Test Application: Chat
Description has changed
ApplicationForcepoint Test Application: Basic Internet Services
Description has changed
SituationAnalyzer_ScadaBR-Brute-Force-Attack
Comment has changed
Description has changed
SituationFile-Text_RDS.Dataspace-ActiveX-Control-Remote-Code-Execution
Fingerprint regexp changed
SituationAnalyzer_FTP-Brute-Force
Description has changed
SituationAnalyzer_RealNetworks-RTSP-Helix-Dual-Long-URI
Description has changed
SituationAnalyzer_Nessus-Vulnerability-Scanner-Usage
Description has changed
SituationAnalyzer_DirectConnect-Client-To-Client-Handshake-DDoS
Description has changed
SituationAnalyzer_Kerberos-Brute-Force
Description has changed
SituationAnalyzer_TOR-Handshake-Traffic
Description has changed
SituationAnalyzer_Samba-DNS-Reply-Flag-DoS
Description has changed
SituationAnalyzer_OpenSSL-DTLS-Recursion-Denial-Of-Service-CVE-2014-0221
Description has changed
SituationAnalyzer_SMB-Brute-Force-Attack
Description has changed
SituationAnalyzer_Microsoft-Remote-Desktop-Brute-Force
Description has changed
SituationAnalyzer_Microsoft-Windows-iSCSI-Target-CVE-2014-0255-Denial-Of-Service
Description has changed
SituationAnalyzer_Apache-Http-Server-Mod_status-Heap-Buffer-Overflow
Description has changed
SituationAnalyzer_FTP-Multiple-Empty-Transfers
Description has changed
SituationAnalyzer_TCP-SYN-Port-Scan-Or-DoS
Description has changed
SituationAnalyzer_ISC-Bind-RPZ-Query-Denial-of-Service
Description has changed
IPListMicrosoft Azure datacenter UKWEST
IPListMicrosoft Azure datacenter
IPListMicrosoft Azure datacenter USCENTRAL
IPListTOR relay nodes IP Address List
IPListAmazon EC2
IPListAmazon AMAZON
IPListMicrosoft Azure datacenter USEAST2
IPListAmazon GLOBALACCELERATOR

ACTIVATING THE UPDATE PACKAGE

1.    Ensure that the SHA256 checksum of the update package are correct.
2.    Open Admin Tools in the SMC GUI client.
3.    Right-click on the Updates folder and select "Import Update Packages".
4.    Right-click on the imported package and select Activate.
5.    Reinstall the system policy to take the changes into use. Custom policies may require manual updating.

DISCLAIMER AND COPYRIGHT

The information in this document is provided only for educational purposes and for the convenience of Forcepoint customers. The information contained herein is subject to change without notice, and is provided "AS IS" without guarantee or warranty as to the accuracy or applicability of the information to any specific situation, circumstance, or system configuration - use at your own risk. Forcepoint does not warrant or endorse any third-party products described herein. Forcepoint™ is a trademark of Forcepoint, LLC. SureView®, ThreatSeeker®, Triton®, Sidewinder®, and Stonesoft® are registered trademarks of Forcepoint, LLC. Raytheon® is a registered trademark of Raytheon Company. All other trademarks and registered trademarks are the property of their respective owners. Copyright © 2000-2019 Forcepoint LLC. All rights reserved.