Release notes for update package 1272-5242

Important notice regarding low end appliances

The update package 1258 introduced changes to all DFA files. This change requires a heightened amount of memory during a policy install or policy refresh on the NGFW engine. On appliances with only 2 GB memory (N110, N115 and FW-315) this may lead to the memory running out during a policy install or policy refresh, resulting in a failed policy upload with errno 137. In rare circumstances, also appliances with 4 GB memory (e.g. N330, N325) may experience the same problem if they are operating near their performance limits concerning concurrent connections and / or have large VPN configuration.

If the previous active dynamic update package is below 1258, activating update package 1258 or any more recent update package may trigger the issue.

For more information and mitigation steps, see knowledge base article 18570.

This update package improves the detection capabilities of the Forcepoint NGFW system.

RELEASE DATE:    Wednesday August 26, 2020
MD5 CHECKSUM:    c8e1ef84c5550ce67f77cc5a10e9611b
SHA1 CHECKSUM:    56e631f9cbe95d2c284d1c15f3deaa777ba18d07
SHA256 CHECKSUM:    f322057c93945bfa1c3aa62e0547a969e24ee2166c943012d44d9bb390bc8496

UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Forcepoint NGFW Security Management Center:    5.10.1.10027
- Forcepoint NGFW:    5.5.1.9848

List of detected attacks in this update package:

Risk levelDescriptionReferenceVulnerability
High     An attempt to exploit a vulnerability in Advantech WebAccess detected     CVE-2020-10621     Advantech-WebAccess-NMS-Configrestoreaction-Arbitrary-File-Upload
High     Octopus C2 framework infection traffic was detected     No CVE/CAN Octopus-C2-Infection-Traffic
High     An attempt to exploit a vulnerability in IBM Spectrum Protect Plus detected     CVE-2020-4212     IBM-Spectrum-Protect-Plus-Hfpackage-Command-Injection
High     An attempt to exploit a vulnerability in Cisco Systems UCS Director detected     CVE-2020-3248     Cisco-UCS-Director-Savestaticconfig-Directory-Traversal
High     Octopus C2 framework initial infection traffic was detected     No CVE/CAN Octopus-C2-Infection-Traffic
High     An attempt to exploit a vulnerability in Eaton HmiSoft VU3 detected     CVE-2020-10639     Eaton-Hmisoft-Vu3-Wmailcontentlen-Stack-Buffer-Overflow
High     An attempt to exploit a vulnerability in Microsoft Windows detected     CVE-2020-1464     Microsoft-Windows-MSI-File-Signature-Spoofing-Vulnerability

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Advantech-WebAccess-NMS-Configrestoreaction-Arbitrary-File-Upload CVE-2020-10621 HTTP_CS-Advantech-WebAccess-NMS-Configrestoreaction-Arbitrary-File-Upload Suspected Compromise

HTTP Status Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Octopus-C2-Infection-Traffic No CVE/CAN HTTP_SLS-Octopus-C2-Infection-Traffic Suspected Botnet

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High IBM-Spectrum-Protect-Plus-Hfpackage-Command-Injection CVE-2020-4212 HTTP_CRL-IBM-Spectrum-Protect-Plus-Hfpackage-Command-Injection Suspected Compromise
High Cisco-UCS-Director-Savestaticconfig-Directory-Traversal CVE-2020-3248 HTTP_CRL-Cisco-UCS-Director-Savestaticconfig-Directory-Traversal Suspected Compromise

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Octopus-C2-Infection-Traffic No CVE/CAN File-Text_Octopus-C2-Initial-Infection-Traffic Suspected Botnet

Other Binary File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Eaton-Hmisoft-Vu3-Wmailcontentlen-Stack-Buffer-Overflow CVE-2020-10639 File-Binary_Eaton-Hmisoft-Vu3-Wmailcontentlen-Stack-Buffer-Overflow Suspected Compromise

OLE File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Microsoft-Windows-MSI-File-Signature-Spoofing-Vulnerability CVE-2020-1464 File-OLE_Microsoft-Windows-MSI-File-Signature-Spoofing-Vulnerability Suspected Compromise

Updated detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Cisco-Dcnm-TrustedClientTokenValidator-Authentication-Bypass CVE-2019-15975 HTTP_CS-Cisco-Dcnm-TrustedClientTokenValidator-Authentication-Bypass Suspected Compromise
Fingerprint regexp changed
High Centreon-formMibs-Command-Injection CVE-2019-15298 HTTP_CS-Centreon-formMibs-Command-Injection Potential Compromise
Fingerprint regexp changed
High Vtiger-CRM-Authenticated-Remote-Code-Execution CVE-2013-3591 HTTP_CS-Vtiger-CRM-Authenticated-Remote-Code-Execution Suspected Compromise
Fingerprint regexp changed
High Oracle-Endeca-Server-Directory-Traversal-CVE-2015-2604 CVE-2015-2604 HTTP_CS-Oracle-Endeca-Server-Directory-Traversal-CVE-2015-2604 Suspected Compromise
Fingerprint regexp changed
High EMC-Data-Protection-Advisor-Static-Credentials-Authentication-Bypass CVE-2017-8013 HTTP_CS-EMC-Data-Protection-Advisor-Application-Service-Static-Credentials-Authentication-Bypass Suspected Compromise
Fingerprint regexp changed
High MantisBT-XmlImportExport-PHP-Code-Injection CVE-2014-7146 HTTP_CS-MantisBT-XmlImportExport-PHP-Code-Injection Suspected Compromise
Fingerprint regexp changed
High AsusWRT-Lan-Unauthenticated-Remote-Code-Execution CVE-2018-5999 HTTP_CS-AsusWRT-Lan-Unauthenticated-Remote-Code-Execution Suspected Compromise
Fingerprint regexp changed
High Squash-YAML-Code-Execution CVE-2013-5036 HTTP_CS-Squash-YAML-Code-Execution Suspected Compromise
Fingerprint regexp changed
High Seagate-Business-NAS-Remote-Code-Execution CVE-2014-8684 HTTP_CS-Seagate-Business-NAS-Remote-Code-Execution Potential Compromise
Fingerprint regexp changed
High Micro-Focus-NetIQ-Sentinel-Server-Sentinelcontext-Authentication-Bypass CVE-2016-1605 HTTP_CS-Micro-Focus-NetIQ-Sentinel-Server-Sentinelcontext-Authentication-Bypass Suspected Compromise
Fingerprint regexp changed

HTTP Request Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
Low Generic-Shared-Variables No CVE/CAN HTTP_CSH-Shared-Variables System Inspections
Fingerprint regexp changed

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Nexus-Repository-Manager-Java-EL-Injection CVE-2020-10199 HTTP_CRL-Nexus-Repository-Manager-Java-EL-Injection Suspected Compromise
Fingerprint regexp changed
High Novell-File-Reporter-Arbitrary-File-Delete CVE-2011-2750 HTTP_CRL-Novell-File-Reporter-Arbitrary-File-Delete Suspected Compromise
Fingerprint regexp changed
High Dell-EMC-Vmax-Virtual-Appliance-Manager-Authentication-Bypass CVE-2018-1216 HTTP_CRL-Dell-EMC-Vmax-Virtual-Appliance-Manager-Authentication-Bypass Suspected Compromise
Fingerprint regexp changed
High D-Link-TRENDnet-NCC-Service-Command-Injection CVE-2015-1187 HTTP_CRL-D-Link-TRENDnet-NCC-Service-Command-Injection Suspected Compromise
Fingerprint regexp changed
High Pfsense-Authenticated-Group-Member-Remote-Command-Execution No CVE/CAN HTTP_CRL-Pfsense-Authenticated-Group-Member-Remote-Command-Execution Suspected Compromise
Fingerprint regexp changed
High Laquis-Scada-Web-Server-Relatorionome-Nome-Command-Injection CVE-2018-18996 HTTP_CRL-Laquis-Scada-Web-Server-Relatorionome-Nome-Command-Injection Suspected Compromise
Fingerprint regexp changed
High Dolibarr-ERP-CRM-Command-Injection No CVE/CAN HTTP_CRL-Dolibarr-ERP-CRM-Command-Injection Suspected Compromise
Fingerprint regexp changed
High Nagios-Log-Server-User-Profile-Stored-Cross-Site-Scripting CVE-2020-6586 HTTP_CRL-Nagios-Log-Server-User-Profile-Stored-Cross-Site-Scripting Suspected Compromise
Fingerprint regexp changed
High QNAP-Q-Center-Virtual-Appliance-Change_Passwd-Command-Execution CVE-2018-0707 HTTP_CRL-QNAP-Q-Center-Virtual-Appliance-Change_Passwd-Command-Execution Suspected Compromise
Fingerprint regexp changed
High Hak5-WiFi-Pineapple-Preconfiguration-Command-Injection CVE-2015-4624 HTTP_CRL-Hak5-WiFi-Pineapple-Preconfiguration-Command-Injection Suspected Compromise
Fingerprint regexp changed
High Nuuo-NVRmini-Upgrade_handle.php-Remote-Command-Execution CVE-2018-14933 HTTP_CRL-Nuuo-NVRmini-Upgrade_handle.php-Remote-Command-Execution Suspected Compromise
Fingerprint regexp changed
Critical VICIDIAL-Dialer-SQL-And-Command-Injection CVE-2013-4467 HTTP_CRL_VICIDIAL-Dialer-SQL-And-Command-Injection Compromise
Fingerprint regexp changed
High Cisco-SA500-Series-Security-Appliances-SQL-Injection CVE-2011-2546 HTTP_CSU-Cisco-SA500-Series-Security-Appliances-SQL-Injection Suspected Compromise
Fingerprint regexp changed
High Imperva-SecureSphere-Pws-Command-Injection No CVE/CAN HTTP_CRL-Imperva-SecureSphere-Pws-Command-Injection Suspected Compromise
Fingerprint regexp changed
High Manageengine-Applications-Manager-Menuhandlerservlet-SQL-Injection CVE-2016-9488 HTTP_CRL-Manageengine-Applications-Manager-Menuhandlerservlet-SQL-Injection Suspected Compromise
Fingerprint regexp changed
High Serviio-Media-Server-checkStreamUrl-Command-Execution No CVE/CAN HTTP_CRL-Serviio-Media-Server-checkStreamUrl-Command-Execution Suspected Compromise
Fingerprint regexp changed
High LibreNMS-addhost-Command-Injection CVE-2018-20434 HTTP_CSU-LibreNMS-addhost-Command-Injection Suspected Compromise
Fingerprint regexp changed
High DC/OS-Marathon-UI-Docker-Exploit No CVE/CAN HTTP_CRL-DC/OS-Marathon-UI-Docker-Exploit Suspected Compromise
Fingerprint regexp changed
Critical Esf-Pfsense-Webgui-Deletefile-Directory-Traversal CVE-2015-2295 HTTP_CRL-Esf-Pfsense-Webgui-Deletefile-Directory-Traversal Compromise
Fingerprint regexp changed
High Micro-Focus-NetIQ-Access-Manager-Identity-Server-Directory-Traversal CVE-2017-14803 HTTP_CRL-Micro-Focus-NetIQ-Access-Manager-Identity-Server-Ospuibasicssodownload-Directory-Traversal Suspected Compromise
Fingerprint regexp changed
High osCommerce-Installer-Unauthenticated-Code-Execution No CVE/CAN HTTP_CRL-osCommerce-Installer-Unauthenticated-Code-Execution Suspected Compromise
Fingerprint regexp changed
High IntegraXOR-SQL-Injection No CVE/CAN HTTP_CRL-IntegraXOR-SQL-Injection Suspected Disclosure
Fingerprint regexp changed
Critical Reprise-License-Manager-Diagnostics_doit-Directory-Traversal No CVE/CAN HTTP_CRL-Reprise-License-Manager-Diagnostics_doit-Directory-Traversal Compromise
Fingerprint regexp changed
High Web-Server-PHP-Injection No CVE/CAN HTTP_CRL-Web-Server-PHP-Injection Suspected Compromise
Fingerprint regexp changed
High Schneider-Electric-Pelco-Endura-Encoder CVE-2019-6814 HTTP_CRL-Schneider-Electric-Pelco-Endura-Encoder Suspected Compromise
Fingerprint regexp changed
High TYPO3-CMS-Phar-Insecure-Deserialization No CVE/CAN HTTP_CRL-TYPO3-CMS-Phar-Insecure-Deserialization Suspected Compromise
Fingerprint regexp changed

LIST OF OTHER CHANGES:

New objects:

TypeName
CategoryIBM Spectrum Protect Plus
CategoryCisco UCS Director Express for Big Data

Updated objects:

TypeNameChanges
Network ElementTOR exit nodes
IPListAmazon AMAZON us-west-2
IPListAmazon AMAZON ap-southeast-1
IPListAmazon S3 ap-northeast-1
IPListTOR relay nodes IP Address List
IPListAkamai Servers
IPListAmazon S3
IPListTOR exit nodes IP Address List
IPListAmazon AMAZON ap-northeast-1
IPListAmazon AMAZON
IPListFacebook Servers
IPListAmazon S3 ap-southeast-1

ACTIVATING THE UPDATE PACKAGE

  1. Ensure that the SHA256 checksum of the update package are correct.
  2. Open Admin Tools in the SMC GUI client.
  3. Right-click on the Updates folder and select "Import Update Packages".
  4. Right-click on the imported package and select Activate.
  5. Reinstall the system policy to take the changes into use. Custom policies may require manual updating.

DISCLAIMER AND COPYRIGHT

Copyright © 2020 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.