Important notice regarding low end appliances
The update package 1258 introduced changes to all DFA files. This change requires a heightened amount of memory during a policy install or policy refresh on the NGFW engine. On appliances with only 2 GB memory (N110, N115 and FW-315) this may lead to the memory running out during a policy install or policy refresh, resulting in a failed policy upload with errno 137. In rare circumstances, also appliances with 4 GB memory (e.g. N330, N325) may experience the same problem if they are operating near their performance limits concerning concurrent connections and / or have large VPN configuration.
If the previous active dynamic update package is below 1258, activating update package 1258 or any more recent update package may trigger the issue.
For more information and mitigation steps, see knowledge base article 18570.
This update package improves the detection capabilities of the Forcepoint NGFW system.
| RELEASE DATE: | Wednesday July 08, 2020 |
| MD5 CHECKSUM: | e14ebd4002d06fd7e3a1d63820d15d53 |
| SHA1 CHECKSUM: | 8d4a11aa6d72659ef03708c45d6b0cc7a6a8d812 |
| SHA256 CHECKSUM: | 304f6f4ff193ce659292a2103e3734d712926e0c6ecc3517cd6e8474355b49c6 |
UPDATE CRITICALITY: HIGH
MINIMUM SOFTWARE VERSIONS
| - Forcepoint NGFW Security Management Center: | 5.10.1.10027 |
| - Forcepoint NGFW: | 5.5.1.9848 |
List of detected attacks in this update package:
| Risk level | Description | Reference | Vulnerability |
|---|---|---|---|
| High | An attempt to exploit an F5 Networks Big-IP TMUI Remote Code Execution vulnerability detected. | CVE-2020-5902 | F5-Networks-Big-IP-TMUI-Remote-Code-Execution-CVE-2020-5902 |
| High | An attempt to exploit a vulnerability in HP Intelligent Management Center detected | No CVE/CAN | HPE-IMC-Devgroupselect-Expression-Language-Injection |
| High | An attempt to exploit a vulnerability in Cisco Systems Data Center Network Manager detected | CVE-2019-15981 | Cisco-Data-Center-Network-Manager-Readconfigfileasxml-Directory-Traversal |
| High | An attempt to exploit a vulnerability in Telerik UI | CVE-2019-18935 | Telerik-UI-Insecure-Deserialization-CVE-2019-18935 |
| High | An attempt to exploit a vulnerability in Nitro PDF Nitro Pro detected | CVE-2020-6092 | Nitro-Pro-PDF-Pattern-Object-Integer-Overflow |
Jump to: Detected Attacks Other Changes
DETECTED ATTACKS
New detected attacks:
HTTP Normalized Request-Line
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type |
|---|---|---|---|---|
| High | F5-Networks-Big-IP-TMUI-Remote-Code-Execution-CVE-2020-5902 | CVE-2020-5902 | HTTP_CRL-F5-Networks-Big-IP-TMUI-Remote-Code-Execution-CVE-2020-5902 | Suspected Compromise |
| High | HPE-IMC-Devgroupselect-Expression-Language-Injection | No CVE/CAN | HTTP_CRL-HPE-IMC-Devgroupselect-Expression-Language-Injection | Suspected Compromise |
Text File Stream
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type |
|---|---|---|---|---|
| High | Telerik-UI-Insecure-Deserialization-CVE-2019-18935 | CVE-2019-18935 | File-Text_Telerik-UI-Insecure-Deserialization-CVE-2019-18935 | Suspected Compromise |
PDF File Stream
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type |
|---|---|---|---|---|
| High | Nitro-Pro-PDF-Pattern-Object-Integer-Overflow | CVE-2020-6092 | File-PDF_Nitro-Pro-PDF-Pattern-Object-Integer-Overflow | Suspected Compromise |
Identified Text File Stream
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type |
|---|---|---|---|---|
| High | Cisco-Data-Center-Network-Manager-Readconfigfileasxml-Directory-Traversal | CVE-2019-15981 | File-TextId_Cisco-Data-Center-Network-Manager-Readconfigfileasxml-Directory-Traversal | Suspected Compromise |
Updated detected attacks:
HTTP Normalized Request-Line
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type | Change Description | |
|---|---|---|---|---|---|---|
| High | rConfig-Compliancepolicies.PHP-SQL-Injection | CVE-2020-10546 | HTTP_CRL-rConfig-Compliancepolicies-Snippets.PHP-SQL-Injection | Suspected Compromise |
|
|
| Low | Generic-Shared-Variables | No CVE/CAN | HTTP_CRL-Shared-Variables | System Inspections |
|
Text File Stream
LIST OF OTHER CHANGES:
New objects:
| Type | Name |
|---|---|
| Filter | Web Application Events |
| Filter | Action Negated Allow or Permit and Inspection Facility |
| Filter | Evasive Application Events |
| Filter | Evasive Attacks |
| Filter | Protocol Events |
| Filter | High Risk Web Events |
| Filter | Malicious Files |
| Filter | High Risk User Events |
| Filter | Vulnerabilities without CVE |
Updated objects:
| Type | Name | Changes | |
|---|---|---|---|
| Filter | Local Evasive Attacks | ||
| Filter | Malicious Internal Source | ||
| Filter | Local Action Negated Allow or Permit and Inspection Facility | ||
| Filter | Top attacks by web host item filter | ||
| Filter | Local Evasive Application Events | ||
| Filter | Local High Risk User Events | ||
| Filter | Local Malicious Files | ||
| Filter | Local Protocol Events | ||
| Filter | Local Web Application Events | ||
| Filter | Local High Risk Web Events | ||
| Filter | High or Critical Attacks | ||
| Filter | Local Excluding CVE | ||
| Report Template | Application and Web Security | ||
| Situation | File-Text_JavaScript-Function-Obfuscation |
|
|
| Situation | File-Text_Iframe-Src-From-IP-Address |
|
ACTIVATING THE UPDATE PACKAGE
- Ensure that the SHA256 checksum of the update package are correct.
- Open Admin Tools in the SMC GUI client.
- Right-click on the Updates folder and select "Import Update Packages".
- Right-click on the imported package and select Activate.
- Reinstall the system policy to take the changes into use. Custom policies may require manual updating.
DISCLAIMER AND COPYRIGHT
The information in this document is provided only for educational purposes and for the convenience of Forcepoint customers. The information contained herein is subject to change without notice, and is provided "AS IS" without guarantee or warranty as to the accuracy or applicability of the information to any specific situation, circumstance, or system configuration - use at your own risk. Forcepoint does not warrant or endorse any third-party products described herein.
Forcepoint™ is a trademark of Forcepoint, LLC. SureView®, ThreatSeeker®, Triton®, Sidewinder®, and Stonesoft® are registered trademarks of Forcepoint, LLC. Raytheon® is a registered trademark of Raytheon Company. All other trademarks and registered trademarks are the property of their respective owners.
Copyright © 2000-2020 Forcepoint LLC. All rights reserved.
Forcepoint™ is a trademark of Forcepoint, LLC. SureView®, ThreatSeeker®, Triton®, Sidewinder®, and Stonesoft® are registered trademarks of Forcepoint, LLC. Raytheon® is a registered trademark of Raytheon Company. All other trademarks and registered trademarks are the property of their respective owners.
Copyright © 2000-2020 Forcepoint LLC. All rights reserved.