Release notes for update package 1260-5242

Important notice regarding low end appliances

The update package 1258 introduced changes to all DFA files. This change requires a heightened amount of memory during a policy install or policy refresh on the NGFW engine. On appliances with only 2 GB memory (N110, N115 and FW-315) this may lead to the memory running out during a policy install or policy refresh, resulting in a failed policy upload with errno 137. In rare circumstances, also appliances with 4 GB memory (e.g. N330, N325) may experience the same problem if they are operating near their performance limits concerning concurrent connections and / or have large VPN configuration.

If the previous active dynamic update package is below 1258, activating update package 1258 or any more recent update package may trigger the issue.

For more information and mitigation steps, see knowledge base article 18570.

This update package improves the detection capabilities of the Forcepoint NGFW system.

RELEASE DATE:    Monday July 06, 2020
MD5 CHECKSUM:    f417a4d243d0c647c7f4d4c771df7ef1
SHA1 CHECKSUM:    0773b03bc3c8583284acfadc51c928e4e7188550
SHA256 CHECKSUM:    7f6fd5703934ae919de1234828aefdd27306b9cd3478cba01ce303390965a6a2

UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Forcepoint NGFW Security Management Center:    5.10.1.10027
- Forcepoint NGFW:    5.5.1.9848

List of detected attacks in this update package:

Risk levelDescriptionReferenceVulnerability
High     An attempt to exploit a vulnerability in Microsoft Windows detected     CVE-2020-1206     Microsoft-Windows-SMBv3-Compression-Information-Disclosure
High     An attempt to exploit a vulnerability in Inductive Automation Ignition detected     CVE-2020-12000     Inductive-Automation-Ignition-Servermessageheader-Insecure-Deserialization
High     An attempt to exploit a vulnerability in Cisco Systems Data Center Network Manager detected     CVE-2019-15984     Cisco-Data-Center-Network-Manager-Getconfigtemplatefilename-SQL-Injection
High     An attempt to exploit a vulnerability in Microsoft SQL Server detected     CVE-2020-0618     Microsoft-SQL-Server-Reporting-Services-ViewState-RCE
High     An attempt to exploit a vulnerability in Oracle E-Business Suite detected     CVE-2020-2856     Oracle-E-Business-Suite-Advanced-Outbound-Telephony-CVE-2020-2856-XSS
High     An attempt to exploit a vulnerability in WordPress Project 10Web Photo Gallery detected     No CVE/CAN Wordpress-10Web-Photo-Gallery-SQL-Injection
High     An attempt to exploit a vulnerability in rConfig Network Device Configuration Tool detected     CVE-2020-10546     rConfig-Compliancepolicies.PHP-SQL-Injection
High     An attempt to exploit a vulnerability in Cisco Systems Data Center Network Manager detected     CVE-2019-15981     Cisco-Data-Center-Network-Manager-Storefilecontentinfs-Directory-Traversal
High     An attempt to exploit a vulnerability in rConfig Network Device Configuration Tool detected     CVE-2020-10546     rConfig-Compliancepolicies_PHP-SQL-Injection
High     An attempt to exploit a vulnerability in Cisco Systems Data Center Network Manager detected     CVE-2019-15980     Cisco-Data-Center-Network-Manager-Savezoneinputfiletoserver-Directory-Traversal
High     An attempt to exploit a vulnerability in Oracle E-Business Suite detected     CVE-2020-2854     Oracle-E-Business-Suite-Advanced-Outbound-Telephony-CVE-2020-2854-XSS
High     An attempt to exploit a vulnerability in Cisco Systems Unified Contact Center Express (UCCX) detected     CVE-2020-3280     Cisco-Unified-Contact-Center-Express-Rmi-Insecure-Deserialization
High     An attempt to exploit a vulnerability in Nitro PDF Nitro Pro detected     CVE-2020-6074     Nitro-Pro-PDF-Nested-Pages-Use-After-Free
High     An attempt to exploit a vulnerability in Microsoft Windows detected     CVE-2020-1300     Microsoft-Windows-Cab-File-Parsing-Directory-Traversal
High     An attempt to exploit a vulnerability in Adobe Systems var6 Software Development Kit     CVE-2020-9590     Adobe-DNG-Software-Development-Kit-Readuncompressed-Heap-Buffer-Overflow

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Inductive-Automation-Ignition-Servermessageheader-Insecure-Deserialization CVE-2020-12000 HTTP_CS-Inductive-Automation-Ignition-Servermessageheader-Insecure-Deserialization Suspected Compromise
High Cisco-Data-Center-Network-Manager-Getconfigtemplatefilename-SQL-Injection CVE-2019-15984 HTTP_CS-Cisco-Data-Center-Network-Manager-Getconfigtemplatefilename-SQL-Injection Suspected Compromise
High Microsoft-SQL-Server-Reporting-Services-ViewState-RCE CVE-2020-0618 HTTP_CS-Microsoft-SQL-Server-Reporting-Services-ViewState-RCE Suspected Compromise

TCP SMB Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Microsoft-Windows-SMBv3-Compression-Information-Disclosure CVE-2020-1206 SMB-TCP_Microsoft-Windows-SMBv3-Compression-Information-Disclosure Suspected Compromise

TCP Client Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Cisco-Unified-Contact-Center-Express-Rmi-Insecure-Deserialization CVE-2020-3280 Generic_CS-Cisco-Unified-Contact-Center-Express-Rmi-Insecure-Deserialization Suspected Compromise

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Oracle-E-Business-Suite-Advanced-Outbound-Telephony-CVE-2020-2856-XSS CVE-2020-2856 HTTP_CSU-Oracle-E-Business-Suite-Advanced-Outbound-Telephony-CVE-2020-2856-Cross-Site-Scripting Suspected Compromise
High Wordpress-10Web-Photo-Gallery-SQL-Injection No CVE/CAN HTTP_CSU-Wordpress-10Web-Photo-Gallery-SQL-Injection Suspected Compromise

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High rConfig-Compliancepolicies.PHP-SQL-Injection CVE-2020-10546 HTTP_CRL-rConfig-Compliancepolicies-Snippets.PHP-SQL-Injection Suspected Compromise
High Cisco-Data-Center-Network-Manager-Storefilecontentinfs-Directory-Traversal CVE-2019-15981 HTTP_CRL-Cisco-Data-Center-Network-Manager-Storefilecontentinfs-Directory-Traversal Suspected Compromise
High rConfig-Compliancepolicies_PHP-SQL-Injection CVE-2020-10546 HTTP_CRL-rConfig-Compliancepolicies-PHP-SQL-Injection Suspected Compromise
High Cisco-Data-Center-Network-Manager-Savezoneinputfiletoserver-Directory-Traversal CVE-2019-15980 HTTP_CRL-Cisco-Data-Center-Network-Manager-Savezoneinputfiletoserver-Directory-Traversal Suspected Compromise
High Oracle-E-Business-Suite-Advanced-Outbound-Telephony-CVE-2020-2854-XSS CVE-2020-2854 HTTP_CRL-Oracle-E-Business-Suite-Advanced-Outbound-Telephony-CVE-2020-2854-XSS Suspected Compromise

Other Binary File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Microsoft-Windows-Cab-File-Parsing-Directory-Traversal CVE-2020-1300 File-Binary_Microsoft-Windows-Cab-File-Parsing-Directory-Traversal Suspected Compromise
High Adobe-DNG-Software-Development-Kit-Readuncompressed-Heap-Buffer-Overflow CVE-2020-9590 File-Binary_Adobe-DNG-Software-Development-Kit-Readunvar10ed-Heap-Buffer-Overflow Suspected Compromise

PDF File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Nitro-Pro-PDF-Nested-Pages-Use-After-Free CVE-2020-6074 File-PDF_Nitro-Pro-PDF-Nested-Pages-Use-After-Free Potential Compromise

Updated detected attacks:

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Apache-Kylin-Rest-API-Migratecube-Command-Injection CVE-2020-1956 HTTP_CRL-Apache-Kylin-Rest-API-Migratecube-Command-Injection Suspected Compromise
Fingerprint regexp changed

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Apache-Kylin-Rest-API-Migratecube-Command-Injection CVE-2020-1956 File-Text_Apache-Kylin-Rest-API-Migratecube-Command-Injection Suspected Compromise
Fingerprint regexp changed
High VBScript-Scripting-Detected No CVE/CAN File-Text_Obfuscated-VBScript-Detected Potential Compromise
Fingerprint regexp changed
High JavaScript-Obfuscation No CVE/CAN File-Text_JS-Obfuscator-Obfuscated-JavaScript-Detected Suspected Attack Related Anomalies
Fingerprint regexp changed
High JavaScript-Obfuscation No CVE/CAN File-Text_JavaScript-String-Value-Obfuscation Suspected Attack Related Anomalies
Fingerprint regexp changed
High JavaScript-Obfuscation No CVE/CAN File-Text_QZX-Obfuscated-JavaScript-Detected Potential Compromise
Fingerprint regexp changed
High JSFuck-JavaScript-Obfuscation No CVE/CAN File-Text_JSFuck-JavaScript-Obfuscation Suspected Compromise
Fingerprint regexp changed

LIST OF OTHER CHANGES:

New objects:

TypeName
CategoryNitro Pro PDF
CategoryInductive Automation Ignition
CategoryCisco Unified Contact Center Express (UCCX)
IPListAmazon EC2_INSTANCE_CONNECT af-south-1
Web Authentication PageDEP User Authentication Pages

Updated objects:

TypeNameChanges
Network ElementTOR exit nodes
SituationURL_List-Known-Hostile-URL
Detection mechanism updated
IPListÅland
IPListBulgaria
IPListMauritius
IPListIceland
IPListIndia
IPListCyprus
IPListFrance
IPListSouth Korea
IPListAmazon AMAZON ap-south-1
IPListCosta Rica
IPListBelgium
IPListNiue
IPListTanzania
IPListLebanon
IPListTurkey
IPListLiberia
IPListMongolia
IPListAmazon AMAZON us-west-2
IPListAmazon AMAZON us-west-1
IPListRéunion
IPListSlovakia
IPListUkraine
IPListKenya
IPListMorocco
IPListGuernsey
IPListUnited States
IPListRepublic of Lithuania
IPListBelize
IPListGermany
IPListEstonia
IPListMicrosoft Azure datacenter
IPListGrenada
IPListCanada
IPListRwanda
IPListEritrea
IPListNetflix Servers
IPListEquatorial Guinea
IPListNicaragua
IPListBarbados
IPListMadagascar
IPListBolivia
IPListTOR relay nodes IP Address List
IPListSouth Africa
IPListU.S. Virgin Islands
IPListSaint Martin
IPListSri Lanka
IPListCambodia
IPListArgentina
IPListPoland
IPListPapua New Guinea
IPListJapan
IPListMexico
IPListPortugal
IPListSierra Leone
IPListUganda
IPListParaguay
IPListFiji
IPListMayotte
IPListAmazon AMAZON cn-north-1
IPListPeru
IPListNorth Korea
IPListLatvia
IPListNauru
IPListLuxembourg
IPListVenezuela
IPListAkamai Servers
IPListHonduras
IPListTokelau
IPListBhutan
IPListIndonesia
IPListUnited Arab Emirates
IPListSpain
IPListPuerto Rico
IPListGuadeloupe
IPListSouth Sudan
IPListBritish Indian Ocean Territory
IPListNigeria
IPListThailand
IPListLesotho
IPListCuraçao
IPListItaly
IPListNorth Macedonia
IPListEcuador
IPListGuatemala
IPListMaldives
IPListSudan
IPListBrazil
IPListDominica
IPListAlbania
IPListTrinidad and Tobago
IPListEgypt
IPListPanama
IPListIsrael
IPListSomalia
IPListRussia
IPListChile
IPListAustria
IPListMyanmar
IPListMicrosoft Azure datacenter USEAST
IPListAnguilla
IPListHungary
IPListGreece
IPListYemen
IPListSerbia
IPListGeorgia
IPListNew Caledonia
IPListPakistan
IPListSuriname
IPListAmazon CLOUDFRONT
IPListFinland
IPListDominican Republic
IPListCongo Republic
IPListGuyana
IPListSaint Lucia
IPListIran
IPListCocos [Keeling] Islands
IPListBahamas
IPListAzerbaijan
IPListSwitzerland
IPListBangladesh
IPListNorfolk Island
IPListCabo Verde
IPListBelarus
IPListOman
IPListIvory Coast
IPListSlovenia
IPListEl Salvador
IPListKazakhstan
IPListMartinique
IPListRomania
IPListSyria
IPListAmazon EC2_INSTANCE_CONNECT
IPListJamaica
IPListWebex Teams
IPListTOR exit nodes IP Address List
IPListUzbekistan
IPListHong Kong
IPListCroatia
IPListKosovo
IPListDR Congo
IPListSaint Vincent and the Grenadines
IPListAmazon AMAZON eu-north-1
IPListSweden
IPListFrench Guiana
IPListUnited Kingdom
IPListMalta
IPListSingapore
IPListBurundi
IPListGhana
IPListHashemite Kingdom of Jordan
IPListIreland
IPListNepal
IPListAndorra
IPListMacao
IPListVietnam
IPListJersey
IPListChina
IPListTogo
IPListZimbabwe
IPListAmazon AMAZON
IPListGibraltar
IPListNetherlands
IPListBosnia and Herzegovina
IPListTaiwan
IPListMicrosoft Azure datacenter USEAST2
IPListNamibia
IPListFacebook Servers
IPListAustralia
IPListZambia
IPListMauritania
IPListMonaco
IPListComoros
IPListBritish Virgin Islands
IPListSaint Barthélemy
IPListArmenia
IPListCentral African Republic
IPListMontenegro
IPListQatar
IPListChad
IPListDenmark
IPListColombia
IPListMicrosoft Azure datacenter USSOUTH
IPListAntigua and Barbuda
IPListNorway
IPListUruguay
IPListKiribati
IPListGuam
IPListNew Zealand
IPListEswatini
IPListMalaysia
IPListRepublic of Moldova
IPListAmazon CLOUDFRONT us-east-1
IPListGoogle Servers
IPListAmazon AMAZON ca-central-1
IPListCzechia
IPListSamoa
IPListTurks and Caicos Islands
IPListBrunei
IPListDjibouti
IPListBahrain
IPListAfghanistan
IPListPalestine
IPListPhilippines
IPListSan Marino
IPListLaos
IPListSenegal
IPListTonga
IPListMicrosoft Azure datacenter USWEST2
IPListSeychelles
IPListAmerican Samoa
IPListSaudi Arabia
IPListNorthern Mariana Islands
IPListLiechtenstein

ACTIVATING THE UPDATE PACKAGE

  1. Ensure that the SHA256 checksum of the update package are correct.
  2. Open Admin Tools in the SMC GUI client.
  3. Right-click on the Updates folder and select "Import Update Packages".
  4. Right-click on the imported package and select Activate.
  5. Reinstall the system policy to take the changes into use. Custom policies may require manual updating.

DISCLAIMER AND COPYRIGHT

The information in this document is provided only for educational purposes and for the convenience of Forcepoint customers. The information contained herein is subject to change without notice, and is provided "AS IS" without guarantee or warranty as to the accuracy or applicability of the information to any specific situation, circumstance, or system configuration - use at your own risk. Forcepoint does not warrant or endorse any third-party products described herein.

Forcepoint™ is a trademark of Forcepoint, LLC. SureView®, ThreatSeeker®, Triton®, Sidewinder®, and Stonesoft® are registered trademarks of Forcepoint, LLC. Raytheon® is a registered trademark of Raytheon Company. All other trademarks and registered trademarks are the property of their respective owners.

Copyright © 2000-2020 Forcepoint LLC. All rights reserved.