RELEASE NOTES FOR UPDATE PACKAGE 1204-5242

RELEASE DATE:	Friday November 22, 2019
MD5 CHECKSUM:	b524cf45671c1b553c2b62e599642b78
SHA1 CHECKSUM:	b344e79d3f6982887d14215692b5f58dae59a01c
SHA256 CHECKSUM:	69e1c1a8f6d9cba5f536226ff0676cb9960e980dcabaa347d7e440a0521cc82b

UPDATE CRITICALITY: HIGH

MINIMUM SOFTWARE VERSIONS

- Forcepoint NGFW Security Management Center:	5.10.1.10027
- Forcepoint NGFW:	5.5.1.9848

This update package improves the detection capabilities of the Forcepoint NGFW system.

The default stop conditions ("Wait Until Context") for web applications have been updated.

List of detected attacks in this update package:

Risk level	Description	Reference	Vulnerability
High	An attempt to exploit a vulnerability in YouPHPTube Encoder detected	CVE-2019-5128	YouPHPTube-Encoder-Getimagemp4.php-Command-Injection
High	An attempt to exploit a vulnerability in Jenkins build-metrics Plugin detected	CVE-2019-10475	Jenkins-Ci-Server-Build-metrics-Cross-Site-Scripting
High	An attempt to exploit a vulnerability in Squid Project Squid detected	CVE-2019-12526	Squid-Proxy-Urn-Response-Processing-Heap-Buffer-Overflow

Detected Attacks
Other Changes

DETECTED ATTACKS

NEW DETECTED ATTACKS:

HTTP Request URI

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	YouPHPTube-Encoder-Getimagemp4.php-Command-Injection	CVE-2019-5128	HTTP_CSU-YouPHPTube-Encoder-Getimagemp4.php-Command-Injection	Suspected Compromise

HTTP Normalized Request-Line

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	Jenkins-Ci-Server-Build-metrics-Cross-Site-Scripting	CVE-2019-10475	HTTP_CRL-Jenkins-Ci-Server-Build-metrics-Cross-Site-Scripting	Suspected Compromise

Text File Stream

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	Squid-Proxy-Urn-Response-Processing-Heap-Buffer-Overflow	CVE-2019-12526	File-Text_Squid-Proxy-Urn-Response-Processing-Heap-Buffer-Overflow	Suspected Compromise

UPDATED DETECTED ATTACKS:

Text File Stream

Risk

Vulnerability/Situation

References

Related Fingerprint

Situation Type

Change Description

Critical

Local-System-Access-Via-ActiveX-Controls

No CVE/CAN

File-Text_Scripting.FileSystemObject-ActiveX-Object-Local-File-Write

Compromise

Fingerprint regexp changed

LIST OF OTHER CHANGES

NEW OBJECTS:

Type	Name
Application	Microsoft-Connect-Test

UPDATED OBJECTS:

Type

Name

Changes

Situation

SIP-TCP_TLS-Traffic-In-SIP-Module

Description has changed

IPList

Microsoft Azure datacenter

IPList

TOR relay nodes IP Address List

IPList

Microsoft Azure datacenter USSOUTH

IPList

Microsoft Azure datacenter EUROPEWEST

IPList

Microsoft Azure datacenter FRANCEC

ACTIVATING THE UPDATE PACKAGE

1.	Ensure that the SHA256 checksum of the update package are correct.
2.	Open Admin Tools in the SMC GUI client.
3.	Right-click on the Updates folder and select "Import Update Packages".
4.	Right-click on the imported package and select Activate.
5.	Reinstall the system policy to take the changes into use. Custom policies may require manual updating.

DISCLAIMER AND COPYRIGHT

The information in this document is provided only for educational purposes and for the convenience of Forcepoint customers. The information contained herein is subject to change without notice, and is provided "AS IS" without guarantee or warranty as to the accuracy or applicability of the information to any specific situation, circumstance, or system configuration - use at your own risk. Forcepoint does not warrant or endorse any third-party products described herein. Forcepoint™ is a trademark of Forcepoint, LLC. SureView®, ThreatSeeker®, Triton®, Sidewinder®, and Stonesoft® are registered trademarks of Forcepoint, LLC. Raytheon® is a registered trademark of Raytheon Company. All other trademarks and registered trademarks are the property of their respective owners. Copyright © 2000-2019 Forcepoint LLC. All rights reserved.