This update package improves the detection capabilities of the Forcepoint NGFW system.
| RELEASE DATE: | Tuesday April 20, 2021 |
| MD5 CHECKSUM: | 99e66e9a99f27c20cac21a6c54abbfd9 |
| SHA1 CHECKSUM: | 271b6702b40b8b0c3894390b7aae0434d04343e1 |
| SHA256 CHECKSUM: | 7c7488cbb8742387244e52149d1fda43f87617e2835a2eb3cd15979eefdd346d |
UPDATE CRITICALITY: HIGH
MINIMUM SOFTWARE VERSIONS
| - Forcepoint NGFW Security Management Center: | 6.5.1.10631 |
| - Forcepoint NGFW: | 6.3.1.19034 |
List of detected attacks in this update package:
| Risk level | Description | Reference | Vulnerability |
|---|---|---|---|
| High | An attempt to exploit a vulnerability in Wordpress AIT CSV Import/Export plugin detected | No CVE/CAN | Wordpress-AIT-CSV-Import-Export-Unauthenticated-RCE |
| High | An attempt to exploit a vulnerability in Wordpress Drag And Drop Plugin detected | CVE-2020-12800 | Wordpress-Drag-And-Drop-Multi-File-Uploader-RCE |
| High | An attempt to exploit a vulnerability in WordPress Simple File List Plugin detected | No CVE/CAN | Wordpress-Simple-File-List-Plugin-Unauthenticated-RCE |
| High | An attempt to exploit a vulnerability in Zivif Cameras detected | CVE-2017-17105 | Zivif-Camera-iptest.cgi-Blind-RCE |
| High | An attempt to exploit a vulnerability in VMware vCenter Server detected | CVE-2021-21972 | VMware-Vcenter-Server-Remote-Code-Execution-CVE-2021-21972 |
| High | An attempt to exploit a vulnerability in Nagios Enterprises Nagios XI detected | CVE-2021-25297 | Nagios-XI-Configwizards-Switch-Command-Injection |
| High | An attempt to exploit a vulnerability in Apache Software Foundation Druid detected | CVE-2021-26919 | Apache-Druid-JDBC-Connection-Properties-Remote-Code-Execution |
| High | An attempt to exploit a vulnerability in ZenTao Pro detected | CVE-2020-7361 | ZenTao-Pro-Remote-Code-Execution |
| High | An attempt to exploit a vulnerability in VMWare Cloud Foundation detected | CVE-2021-21975 | VMware-Vrealize-Operations-Manager-API-Server-Side-Request-Forgery |
Jump to: Detected Attacks Other Changes
DETECTED ATTACKS
New detected attacks:
HTTP Client Stream
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type |
|---|---|---|---|---|
| High | Wordpress-AIT-CSV-Import-Export-Unauthenticated-RCE | No CVE/CAN | HTTP_CS-Wordpress-AIT-CSV-Import-Export-Unauthenticated-RCE | Suspected Compromise |
| High | Wordpress-Drag-And-Drop-Multi-File-Uploader-RCE | CVE-2020-12800 | HTTP_CS-Wordpress-Drag-And-Drop-Multi-File-Uploader-RCE | Suspected Compromise |
| High | Wordpress-Simple-File-List-Plugin-Unauthenticated-RCE | No CVE/CAN | HTTP_CS-Wordpress-Simple-File-List-Plugin-Unauthenticated-RCE | Suspected Compromise |
| High | Zivif-Camera-iptest.cgi-Blind-RCE | CVE-2017-17105 | HTTP_CS-Zivif-Camera-iptest.cgi-Blind-RCE | Suspected Compromise |
| High | VMware-Vcenter-Server-Remote-Code-Execution-CVE-2021-21972 | CVE-2021-21972 | HTTP_CS-VMware-Vcenter-Server-Remote-Code-Execution-CVE-2021-21972 | Suspected Compromise |
HTTP Normalized Request-Line
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type |
|---|---|---|---|---|
| High | Nagios-XI-Configwizards-Switch-Command-Injection | CVE-2021-25297 | HTTP_CRL-Nagios-XI-Configwizards-Switch-Command-Injection | Suspected Compromise |
| High | Apache-Druid-JDBC-Connection-Properties-Remote-Code-Execution | CVE-2021-26919 | HTTP_CRL-Apache-Druid-JDBC-Connection-Properties-Remote-Code-Execution | Suspected Compromise |
| High | ZenTao-Pro-Remote-Code-Execution | CVE-2020-7361 | HTTP_CRL-ZenTao-Pro-Remote-Code-Execution | Suspected Compromise |
| High | VMware-Vrealize-Operations-Manager-API-Server-Side-Request-Forgery | CVE-2021-21975 | HTTP_CRL-VMware-Vrealize-Operations-Manager-API-Server-Side-Request-Forgery | Suspected Compromise |
Updated detected attacks:
HTTP Client Stream
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type | Change Description | |
|---|---|---|---|---|---|---|
| High | Microsoft-Exchange-CVE-2021-27065-Arbitrary-File-Write | CVE-2021-27065 | HTTP_CS-Microsoft-Exchange-CVE-2021-27065-Arbitrary-File-Write | Suspected Compromise |
|
HTTP Normalized Request-Line
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type | Change Description | |
|---|---|---|---|---|---|---|
| High | VMware-View-Planner-Logupload-Directory-Traversal | CVE-2021-21978 | HTTP_CRL-VMware-View-Planner-Logupload-Directory-Traversal | Suspected Compromise |
|
SMB Server Header Stream
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type | Change Description | |
|---|---|---|---|---|---|---|
| Low | Microsoft-Windows-SMB-Information-Disclosure-Vulnerability-CVE-2021-28325 | CVE-2021-28325 | SMB-TCP_SHS-Microsoft-Windows-SMB-Information-Disclosure-Vulnerability-CVE-2021-28325 | Potential Disclosure |
|
LIST OF OTHER CHANGES:
New objects:
| Type | Name |
|---|---|
| Category | Zivif Camera |
| Category | ZenTao Pro |
| Category | WordPress Simple File List Plugin |
| Category | Wordpress Drag And Drop Plugin |
| Category | Wordpress AIT CSV Import Export plugin |
| Category | VMWare vRealize Operations Manager |
| Situation | System_Stop-Inspection |
| Situation | HTTP2_Max-Frame-Size-Exceeded |
| Situation | FTP-Validation-Succeeded |
| Situation Context | HTTP Host |
Updated objects:
| Type | Name | Changes |
|---|---|---|
| IPList | Åland | |
| IPList | Bulgaria | |
| IPList | Mauritius | |
| IPList | Iceland | |
| IPList | India | |
| IPList | Burkina Faso | |
| IPList | Guinea-Bissau | |
| IPList | Cyprus | |
| IPList | France | |
| IPList | Amazon API_GATEWAY eu-central-1 | |
| IPList | Sint Maarten | |
| IPList | South Korea | |
| IPList | Costa Rica | |
| IPList | Belgium | |
| IPList | Tanzania | |
| IPList | Lebanon | |
| IPList | Botswana | |
| IPList | Turkey | |
| IPList | Heard Island and McDonald Islands | |
| IPList | Liberia | |
| IPList | Mongolia | |
| IPList | Réunion | |
| IPList | Slovakia | |
| IPList | Ukraine | |
| IPList | Kenya | |
| IPList | Botnet IP Address List | |
| IPList | Guernsey | |
| IPList | United States | |
| IPList | Lithuania | |
| IPList | Germany | |
| IPList | Estonia | |
| IPList | Cameroon | |
| IPList | Amazon API_GATEWAY ap-east-1 | |
| IPList | Bouvet Island | |
| IPList | Canada | |
| IPList | St Kitts and Nevis | |
| IPList | Barbados | |
| IPList | Bolivia | |
| IPList | TOR relay nodes IP Address List | |
| IPList | South Africa | |
| IPList | U.S. Virgin Islands | |
| IPList | East Timor | |
| IPList | Saint Martin | |
| IPList | Cambodia | |
| IPList | Cayman Islands | |
| IPList | Argentina | |
| IPList | Poland | |
| IPList | Papua New Guinea | |
| IPList | Japan | |
| IPList | Mexico | |
| IPList | Portugal | |
| IPList | Uganda | |
| IPList | Paraguay | |
| IPList | Mayotte | |
| IPList | Peru | |
| IPList | Tunisia | |
| IPList | Latvia | |
| IPList | Luxembourg | |
| IPList | Venezuela | |
| IPList | Honduras | |
| IPList | Indonesia | |
| IPList | United Arab Emirates | |
| IPList | Spain | |
| IPList | Puerto Rico | |
| IPList | Guadeloupe | |
| IPList | Nigeria | |
| IPList | Thailand | |
| IPList | Malicious Site IP Address List | |
| IPList | Amazon API_GATEWAY ap-northeast-1 | |
| IPList | Italy | |
| IPList | Ecuador | |
| IPList | Sudan | |
| IPList | South Georgia and the South Sandwich Islands | |
| IPList | Brazil | |
| IPList | Dominica | |
| IPList | Albania | |
| IPList | Microsoft Intune IP Address List | |
| IPList | Egypt | |
| IPList | Panama | |
| IPList | Israel | |
| IPList | Russia | |
| IPList | Chile | |
| IPList | Austria | |
| IPList | Antarctica | |
| IPList | Hungary | |
| IPList | Greece | |
| IPList | Haiti | |
| IPList | Serbia | |
| IPList | Georgia | |
| IPList | Pakistan | |
| IPList | Angola | |
| IPList | Kyrgyzstan | |
| IPList | Finland | |
| IPList | Dominican Republic | |
| IPList | Saint Lucia | |
| IPList | Iran | |
| IPList | Niger | |
| IPList | Cocos [Keeling] Islands | |
| IPList | Bahamas | |
| IPList | Bonaire, Sint Eustatius, and Saba | |
| IPList | Switzerland | |
| IPList | Bangladesh | |
| IPList | Belarus | |
| IPList | Oman | |
| IPList | Kuwait | |
| IPList | Slovenia | |
| IPList | Christmas Island | |
| IPList | French Southern Territories | |
| IPList | Kazakhstan | |
| IPList | Martinique | |
| IPList | Romania | |
| IPList | Jamaica | |
| IPList | TOR exit nodes IP Address List | |
| IPList | Hong Kong | |
| IPList | Croatia | |
| IPList | Kosovo | |
| IPList | DR Congo | |
| IPList | Saint Vincent and the Grenadines | |
| IPList | Iraq | |
| IPList | Sweden | |
| IPList | French Guiana | |
| IPList | United Kingdom | |
| IPList | Singapore | |
| IPList | Ghana | |
| IPList | Jordan | |
| IPList | Ireland | |
| IPList | Nepal | |
| IPList | Vietnam | |
| IPList | Jersey | |
| IPList | China | |
| IPList | Zimbabwe | |
| IPList | Netherlands | |
| IPList | Benin | |
| IPList | Bosnia and Herzegovina | |
| IPList | Taiwan | |
| IPList | Namibia | |
| IPList | Australia | |
| IPList | Zambia | |
| IPList | British Virgin Islands | |
| IPList | Saint Barthélemy | |
| IPList | Armenia | |
| IPList | Central African Republic | |
| IPList | Faroe Islands | |
| IPList | Montenegro | |
| IPList | Qatar | |
| IPList | Denmark | |
| IPList | Amazon API_GATEWAY | |
| IPList | Colombia | |
| IPList | Antigua and Barbuda | |
| IPList | Norway | |
| IPList | Uruguay | |
| IPList | Guam | |
| IPList | New Zealand | |
| IPList | Malaysia | |
| IPList | Moldova | |
| IPList | Czechia | |
| IPList | Brunei | |
| IPList | Amazon API_GATEWAY ap-northeast-3 | |
| IPList | Afghanistan | |
| IPList | Palestine | |
| IPList | Philippines | |
| IPList | San Marino | |
| IPList | Seychelles | |
| IPList | American Samoa | |
| IPList | Saudi Arabia | |
| IPList | Northern Mariana Islands | |
| IPList | Liechtenstein | |
| Situation | HTTP_CSU-Shared-Variables | |
| Situation Context Group | HTTP |
HOW TO IMPORT AND ACTIVATE THE DYNAMIC UPDATE PACKAGE
- Download the dynamic update package, then make sure that the checksums for the original files and the files that you have downloaded match.
- In the Management Client, select Menu > File > Import > Import Update Packages.
- Browse to the file, select it, then click Import.
- Select Configuration, then browse to Administration > Other Elements > Updates.
- Right-click the imported dynamic update package, then select Activate.
- When the activation is finished, refresh the policy on all NGFW Engines. If your policy uses a custom template, you might need to edit the policy.
DISCLAIMER AND COPYRIGHT
Copyright © 2021 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.
All other trademarks used in this document are the property of their respective owners.
Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.
All other trademarks used in this document are the property of their respective owners.
Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.