This update package improves the detection capabilities of the Forcepoint NGFW system.
| RELEASE DATE: | Thursday August 05, 2021 |
| MD5 CHECKSUM: | 8919e3256c57b599feff76655e5b53a0 |
| SHA1 CHECKSUM: | 67624f76ec302ac56408e955f8795acd3f2ee16e |
| SHA256 CHECKSUM: | 50b117d814a25bc9feb96a5a82fe06ab6f0aa2250a8c8061530491fb51f85199 |
UPDATE CRITICALITY: HIGH
MINIMUM SOFTWARE VERSIONS
| - Forcepoint NGFW Security Management Center: | 6.5.1.10631 |
| - Forcepoint NGFW: | 6.3.1.19034 |
List of detected attacks in this update package:
Jump to: Detected Attacks Other Changes
DETECTED ATTACKS
New detected attacks:
HTTP Normalized Request-Line
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type |
|---|
| High |
Advantech-Iview-Setdeviceauthentication-SQL-Injection |
CVE-2021-32932 |
HTTP_CRL-Advantech-Iview-Setdeviceauthentication-SQL-Injection |
Suspected Compromise |
| High |
Dasan-GPON-Router-Command-Injection |
CVE-2018-10562 |
HTTP_CRL-Dasan-GPON-Router-Command-Injection |
Suspected Compromise |
TLS Server Stream
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type |
|---|
| High |
Orcus-RAT-Infection-Traffic |
No CVE/CAN |
TLS_SS-Orcus-RAT-Infection-Traffic |
Suspected Botnet |
TLS SNI Stream
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type |
|---|
| High |
Orcus-RAT-Infection-Traffic |
No CVE/CAN |
TLS-SNI_Orcus-RAT-Infection-Traffic |
Suspected Botnet |
Updated detected attacks:
HTTP Client Stream
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type | Change Description |
|---|
| High |
Novell-Sentinel-Log-Manager-Retention-Policy-Security-Restriction-Bypass |
No CVE/CAN |
HTTP_CS-Novell-Sentinel-Log-Manager-Retention-Policy-Security-Restriction-Bypass |
Suspected Compromise |
| Fingerprint regexp changed |
|
| High |
Phpmyadmin-Tbl_replace.php-Local-File-Inclusion |
CVE-2018-19968 |
HTTP_CS-Phpmyadmin-Tbl_replace.php-Local-File-Inclusion |
Suspected Compromise |
| Fingerprint regexp changed |
|
| High |
Vidar-Malware-Infection-Traffic |
No CVE/CAN |
HTTP_CS-Vidar-Malware-Infection-Traffic |
Suspected Botnet |
| Fingerprint regexp changed |
|
| High |
HuntBar |
No CVE/CAN |
HTTP_CS-HuntBar-SiteReview |
Spyware, Malware and Adware |
| Fingerprint regexp changed |
|
| Low |
AOL-Instant-Messenger-Usage |
No CVE/CAN |
HTTP_CS-AOL-Instant-Messenger-Usage |
Instant Messaging |
| Fingerprint regexp changed |
|
HTTP Request Header Line
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type | Change Description |
|---|
| High |
Red-Hat-Directory-Server-Accept-Language-Parsing-Buffer-Overflow |
CVE-2008-2928 |
HTTP_CSH-Red-Hat-Directory-Server-Accept-Language-Parsing-Buffer-Overflow |
Suspected Compromise |
| Fingerprint regexp changed |
|
| Low |
HTTP-Browser-Usage |
No CVE/CAN |
HTTP_CSH-Windows-WebDAV-Access |
Possibly Unwanted Content |
| Fingerprint regexp changed |
|
| Critical |
Php-Nuke-Referer-SQL-Injection |
CVE-2007-1061 |
HTTP_CSH-SQL-Injection-In-Referer-Header-Field |
Compromise |
| Fingerprint regexp changed |
|
HTTP Normalized Request-Line
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type | Change Description |
|---|
| High |
ThinkPHP-RCE-Vulnerability-CVE-2018-20062 |
CVE-2018-20062 |
HTTP_CRL-ThinkPHP-RCE-Vulnerability-CVE-2018-20062 |
Suspected Compromise |
| Fingerprint regexp changed |
|
| High |
Apache-Solr-Xmlparser-XML-External-Entity-Expansion-Remote-Code-Execution |
CVE-2017-12629 |
HTTP_CRL-Apache-Solr-Xmlparser-XML-External-Entity-Expansion-Remote-Code-Execution |
Suspected Compromise |
| Fingerprint regexp changed |
|
| High |
Imperva-SecureSphere-Pws-Command-Injection |
No CVE/CAN |
HTTP_CRL-Imperva-SecureSphere-Pws-Command-Injection |
Suspected Compromise |
| Fingerprint regexp changed |
|
Text File Stream
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type | Change Description |
|---|
| High |
Omron-Cx-One-Cx-Position-Cdmapi32-Stack-Based-Buffer-Overflow |
CVE-2018-18993 |
File-Text_Omron-Cx-One-Cx-Position-Cdmapi32-Stack-Based-Buffer-Overflow |
Suspected Compromise |
| Fingerprint regexp changed |
|
| High |
Mozilla-Firefox-And-Thunderbird-Sensor.dll-Insecure-Library-Loading |
CVE-2011-2980 |
File-Text_Mozilla-Firefox-And-Thunderbird-Sensor.dll-Insecure-Library-Loading |
Potential Compromise |
| Fingerprint regexp changed |
|
LIST OF OTHER CHANGES:
New objects:
| Type | Name |
|---|
| Category | Dasan GPON |
| IPList | Microsoft Azure datacenter for brazilne |
| IPList | Microsoft Azure datacenter for easteurope |
| IPList | Microsoft Azure datacenter for northeurope2 |
| Situation | HTTP_SHS-Suspicious-Partial-Data-Request-From-Server |
| Situation | File-Text_Suspicious-Rfc822-Response-From-Server |
| Application | OneTrust |
| Application | Google-Workspace |
| Element Ref | 135 |
| Element Ref | 139 |
| Element Ref | 141 |
| Element Ref | 143 |
| Element Ref | 145 |
| Element Ref | 147 |
| Element Ref | 149 |
| Element Ref | 151 |
| Element Ref | 153 |
| Element Ref | 155 |
| Element Ref | 157 |
| Element Ref | 159 |
| Element Ref | 161 |
| Element Ref | 163 |
| Element Ref | 165 |
Updated objects:
| Type | Name | Changes |
|---|
| IPList | Rwanda |
|
| IPList | Somalia |
|
| IPList | Yemen |
|
| IPList | Iraq |
|
| IPList | Saudi Arabia |
|
| IPList | Iran |
|
| IPList | Cyprus |
|
| IPList | Tanzania |
|
| IPList | Syria |
|
| IPList | Armenia |
|
| IPList | Kenya |
|
| IPList | DR Congo |
|
| IPList | Djibouti |
|
| IPList | Uganda |
|
| IPList | Central African Republic |
|
| IPList | Seychelles |
|
| IPList | Jordan |
|
| IPList | Lebanon |
|
| IPList | Kuwait |
|
| IPList | Oman |
|
| IPList | Qatar |
|
| IPList | Bahrain |
|
| IPList | United Arab Emirates |
|
| IPList | Israel |
|
| IPList | Turkey |
|
| IPList | Ethiopia |
|
| IPList | Eritrea |
|
| IPList | Egypt |
|
| IPList | Sudan |
|
| IPList | Greece |
|
| IPList | Burundi |
|
| IPList | Estonia |
|
| IPList | Latvia |
|
| IPList | Azerbaijan |
|
| IPList | Lithuania |
|
| IPList | Georgia |
|
| IPList | Moldova |
|
| IPList | Belarus |
|
| IPList | Finland |
|
| IPList | Åland |
|
| IPList | Ukraine |
|
| IPList | North Macedonia |
|
| IPList | Hungary |
|
| IPList | Bulgaria |
|
| IPList | Albania |
|
| IPList | Poland |
|
| IPList | Romania |
|
| IPList | Kosovo |
|
| IPList | Zimbabwe |
|
| IPList | Zambia |
|
| IPList | Comoros |
|
| IPList | Malawi |
|
| IPList | Lesotho |
|
| IPList | Botswana |
|
| IPList | Mauritius |
|
| IPList | Eswatini |
|
| IPList | Réunion |
|
| IPList | South Africa |
|
| IPList | Mayotte |
|
| IPList | Mozambique |
|
| IPList | Madagascar |
|
| IPList | Afghanistan |
|
| IPList | Pakistan |
|
| IPList | Bangladesh |
|
| IPList | Turkmenistan |
|
| IPList | Tajikistan |
|
| IPList | Sri Lanka |
|
| IPList | Bhutan |
|
| IPList | India |
|
| IPList | Maldives |
|
| IPList | British Indian Ocean Territory |
|
| IPList | Nepal |
|
| IPList | Myanmar |
|
| IPList | Uzbekistan |
|
| IPList | Kazakhstan |
|
| IPList | Kyrgyzstan |
|
| IPList | Palau |
|
| IPList | Vietnam |
|
| IPList | Thailand |
|
| IPList | Indonesia |
|
| IPList | Laos |
|
| IPList | Taiwan |
|
| IPList | Philippines |
|
| IPList | Malaysia |
|
| IPList | China |
|
| IPList | Hong Kong |
|
| IPList | Brunei |
|
| IPList | Macao |
|
| IPList | Cambodia |
|
| IPList | South Korea |
|
| IPList | Japan |
|
| IPList | North Korea |
|
| IPList | Singapore |
|
| IPList | Cook Islands |
|
| IPList | East Timor |
|
| IPList | Russia |
|
| IPList | Mongolia |
|
| IPList | Australia |
|
| IPList | Marshall Islands |
|
| IPList | Federated States of Micronesia |
|
| IPList | Papua New Guinea |
|
| IPList | Solomon Islands |
|
| IPList | Tuvalu |
|
| IPList | Nauru |
|
| IPList | Vanuatu |
|
| IPList | New Caledonia |
|
| IPList | Norfolk Island |
|
| IPList | New Zealand |
|
| IPList | Fiji |
|
| IPList | Libya |
|
| IPList | Cameroon |
|
| IPList | Senegal |
|
| IPList | Congo Republic |
|
| IPList | Portugal |
|
| IPList | Liberia |
|
| IPList | Ivory Coast |
|
| IPList | Ghana |
|
| IPList | Equatorial Guinea |
|
| IPList | Nigeria |
|
| IPList | Burkina Faso |
|
| IPList | Togo |
|
| IPList | Guinea-Bissau |
|
| IPList | Mauritania |
|
| IPList | Benin |
|
| IPList | Gabon |
|
| IPList | Sierra Leone |
|
| IPList | São Tomé and Príncipe |
|
| IPList | Gibraltar |
|
| IPList | Gambia |
|
| IPList | Guinea |
|
| IPList | Chad |
|
| IPList | Niger |
|
| IPList | Mali |
|
| IPList | Tunisia |
|
| IPList | Spain |
|
| IPList | Morocco |
|
| IPList | Malta |
|
| IPList | Algeria |
|
| IPList | Faroe Islands |
|
| IPList | Denmark |
|
| IPList | Iceland |
|
| IPList | United Kingdom |
|
| IPList | Switzerland |
|
| IPList | Sweden |
|
| IPList | Netherlands |
|
| IPList | Austria |
|
| IPList | Belgium |
|
| IPList | Germany |
|
| IPList | Luxembourg |
|
| IPList | Ireland |
|
| IPList | Principality of Monaco |
|
| IPList | France |
|
| IPList | Liechtenstein |
|
| IPList | Jersey |
|
| IPList | Isle of Man |
|
| IPList | Guernsey |
|
| IPList | Slovakia |
|
| IPList | Czechia |
|
| IPList | Norway |
|
| IPList | Italy |
|
| IPList | Slovenia |
|
| IPList | Montenegro |
|
| IPList | Croatia |
|
| IPList | Bosnia and Herzegovina |
|
| IPList | Angola |
|
| IPList | Namibia |
|
| IPList | Cabo Verde |
|
| IPList | Guyana |
|
| IPList | French Guiana |
|
| IPList | Suriname |
|
| IPList | Saint Pierre and Miquelon |
|
| IPList | Greenland |
|
| IPList | Paraguay |
|
| IPList | Uruguay |
|
| IPList | Brazil |
|
| IPList | Jamaica |
|
| IPList | Dominican Republic |
|
| IPList | Cuba |
|
| IPList | Martinique |
|
| IPList | Bahamas |
|
| IPList | Bermuda |
|
| IPList | Trinidad and Tobago |
|
| IPList | St Kitts and Nevis |
|
| IPList | Dominica |
|
| IPList | Antigua and Barbuda |
|
| IPList | Turks and Caicos Islands |
|
| IPList | Aruba |
|
| IPList | British Virgin Islands |
|
| IPList | Saint Vincent and the Grenadines |
|
| IPList | Montserrat |
|
| IPList | Saint Martin |
|
| IPList | Saint Barthélemy |
|
| IPList | Guadeloupe |
|
| IPList | Grenada |
|
| IPList | Cayman Islands |
|
| IPList | Belize |
|
| IPList | El Salvador |
|
| IPList | Guatemala |
|
| IPList | Honduras |
|
| IPList | Nicaragua |
|
| IPList | Costa Rica |
|
| IPList | Venezuela |
|
| IPList | Ecuador |
|
| IPList | Colombia |
|
| IPList | Panama |
|
| IPList | Haiti |
|
| IPList | Argentina |
|
| IPList | Chile |
|
| IPList | Bolivia |
|
| IPList | Peru |
|
| IPList | Mexico |
|
| IPList | French Polynesia |
|
| IPList | Kiribati |
|
| IPList | Tonga |
|
| IPList | Wallis and Futuna |
|
| IPList | Samoa |
|
| IPList | Niue |
|
| IPList | Northern Mariana Islands |
|
| IPList | Guam |
|
| IPList | Puerto Rico |
|
| IPList | U.S. Virgin Islands |
|
| IPList | American Samoa |
|
| IPList | Canada |
|
| IPList | United States |
|
| IPList | Palestine |
|
| IPList | Serbia |
|
| IPList | South Sudan |
|
| IPList | TOR exit nodes IP Address List |
|
| IPList | Amazon AMAZON |
|
| IPList | Spotify |
|
| IPList | Amazon S3 |
|
| IPList | Amazon EC2 |
|
| IPList | Akamai Servers |
|
| IPList | TOR relay nodes IP Address List |
|
| IPList | Amazon GLOBALACCELERATOR |
|
| IPList | Botnet IP Address List |
|
| IPList | Malicious Site IP Address List |
|
| IPList | Amazon AMAZON ap-southeast-1 |
|
| IPList | Amazon EC2 ap-southeast-1 |
|
| IPList | Amazon AMAZON eu-west-2 |
|
| IPList | Amazon EC2 eu-west-2 |
|
| IPList | Amazon AMAZON us-east-1 |
|
| IPList | Amazon EC2 us-east-1 |
|
| IPList | Amazon AMAZON us-east-2 |
|
| IPList | Amazon S3 us-east-2 |
|
| IPList | Amazon AMAZON us-west-1 |
|
| Situation | HTTP_CS-Breakingpoint-Generated-HTTP-Request-Message |
|
| Situation | HTTP_CSH-Shared-Variables |
| Fingerprint regexp changed |
|
| Situation | HTTP_CS-Shared-Variables-For-Client-Stream-Context |
| Fingerprint regexp changed |
|
HOW TO IMPORT AND ACTIVATE THE DYNAMIC UPDATE PACKAGE
- Download the dynamic update package, then make sure that the checksums for the original files and the files that you have downloaded match.
- In the Management Client, select Menu > File > Import > Import Update Packages.
- Browse to the file, select it, then click Import.
- Select Configuration, then browse to Administration > Other Elements > Updates.
- Right-click the imported dynamic update package, then select Activate.
- When the activation is finished, refresh the policy on all NGFW Engines. If your policy uses a custom template, you might need to edit the policy.
DISCLAIMER AND COPYRIGHT
Copyright © 2021 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.
All other trademarks used in this document are the property of their respective owners.
Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.