Release notes for update package 1394-5242

Rolling DFA upgrades

Starting from dynamic update 1393, the handling of situations appearing in multiple contexts is improved. To avoid the same traffic data to be matched against multiple DFA's, all DFA's are being modified. When large number of DFAs change at the same time, the temporary memory requirement during a policy installation or refresh increases. To avoid not enough available memory on low end NGFW appliances these changes on DFA's are implemented gradually over the course of 10 dynamic update packages. With low end NGFW appliances, especially N110 and N115, it is recommended to upgrade to NGFW version 6.8.2 or higher to better address new policy when there is not enough memory for both old and new policy. A large number of DFAs might change at the same time if there is a large gap between activating dynamic update packages and the subsequent policy refresh.

See knowledge base article 18570.

This update package improves the detection capabilities of the Forcepoint NGFW system.

RELEASE DATE:    Monday October 11, 2021
MD5 CHECKSUM:    0a3ee204750bad9f83b05525828eed58
SHA1 CHECKSUM:    e6d0534489ada9d480649b0158dae7e47b80ddd7
SHA256 CHECKSUM:    cc7e75efc5819bd1229d355041bc5a36d8ff5a192348137f79493e85f6bff42d

UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Forcepoint NGFW Security Management Center:    6.5.1.10631
- Forcepoint NGFW:    6.3.1.19034

List of detected attacks in this update package:

Risk levelDescriptionReferenceVulnerability
High     Metasploit shellcode detection     No CVE/CAN Shellcode-Encoder
High     Metasploit shellcode detection     No CVE/CAN Shellcode-Encoder
High     Metasploit shellcode detection     No CVE/CAN Shellcode-Encoder
High     Metasploit shellcode detection     No CVE/CAN Shellcode-Encoder
High     Metasploit shellcode detection     No CVE/CAN Shellcode-Encoder
High     Metasploit shellcode detection     No CVE/CAN Shellcode-Encoder
High     Metasploit shellcode detection     No CVE/CAN Shellcode-Encoder
High     Metasploit shellcode detection     No CVE/CAN Shellcode-Encoder
High     Metasploit shellcode detection     No CVE/CAN Shellcode-Encoder
High     Metasploit shellcode detection     No CVE/CAN Shellcode-Encoder
High     Metasploit shellcode detection     No CVE/CAN Shellcode-Encoder
High     Metasploit shellcode detection     No CVE/CAN Shellcode-Encoder
High     Metasploit shellcode detection     No CVE/CAN Shellcode-Encoder
High     Metasploit shellcode detection     No CVE/CAN Shellcode-Encoder
High     Metasploit shellcode detection     No CVE/CAN Shellcode-Encoder
High     Malicious KiXtart Script infection traffic detected     No CVE/CAN Malicious-KiXtart-Script-Infection-Traffic
High     An attempt to exploit a vulnerability in Schneider Electric Struxureware Data Center Expert detected     CVE-2021-22795     Schneider-Electric-Struxureware-Data-Center-Expert-Command-Injection
High     An attempt to exploit a vulnerability in Zoho Corporation ManageEngine OpManager detected     CVE-2021-41288     Zoho-Manageengine-Opmanager-Getreportdata-SQL-Injection
High     An attempt to exploit a vulnerability in Delta Electronics DIAEnergie detected     CVE-2021-38390     Delta-Industrial-Automation-Diaenergie-Handlerenergytype.aspx-SQL-Injection

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Malicious-KiXtart-Script-Infection-Traffic No CVE/CAN HTTP_CSU-Malicious-KiXtart-Script-Infection-Traffic Suspected Botnet

ANY Common Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Shellcode-Encoder No CVE/CAN Common_Metasploit-Payload-Windows-x64-Messagebox Suspected Compromise
High Shellcode-Encoder No CVE/CAN Common_Metasploit-Payload-Windows-X86-Format-All-Drives Suspected Compromise
High Shellcode-Encoder No CVE/CAN Common_Metasploit-Payload-Windows-X86-Messagebox Suspected Compromise
High Shellcode-Encoder No CVE/CAN Common_Metasploit-Payload-Windows-X86-Shell-Bind-TCP-Xpfw Suspected Compromise
High Shellcode-Encoder No CVE/CAN Common_Metasploit-Payload-Windows-X86-Speak-Pwned Suspected Compromise
High Shellcode-Encoder No CVE/CAN Common_Metasploit-Stager-Linux-Armle-Bind-TCP Suspected Compromise
High Shellcode-Encoder No CVE/CAN Common_Metasploit-Stager-Linux-Armle-Reverse-TCP Suspected Compromise
High Shellcode-Encoder No CVE/CAN Common_Metasploit-Stager-Linux-x64-Bind-TCP Suspected Compromise
High Shellcode-Encoder No CVE/CAN Common_Metasploit-Stager-Linux-x64-Reverse-TCP Suspected Compromise
High Shellcode-Encoder No CVE/CAN Common_Metasploit-Stager-Linux-X86-Bind-Nonx-TCP Suspected Compromise
High Shellcode-Encoder No CVE/CAN Common_Metasploit-Stager-Linux-X86-Bind-TCP Suspected Compromise
High Shellcode-Encoder No CVE/CAN Common_Metasploit-Stager-Linux-X86-Find-Tag Suspected Compromise
High Shellcode-Encoder No CVE/CAN Common_Metasploit-Stager-Linux-X86-Reverse-IPv6-TCP Suspected Compromise
High Shellcode-Encoder No CVE/CAN Common_Metasploit-Stager-Linux-X86-Reverse-Nonx-TCP Suspected Compromise
High Shellcode-Encoder No CVE/CAN Common_Metasploit-Stager-Linux-X86-Reverse-TCP Suspected Compromise

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Schneider-Electric-Struxureware-Data-Center-Expert-Command-Injection CVE-2021-22795 HTTP_CRL-Schneider-Electric-Struxureware-Data-Center-Expert-Command-Injection Suspected Compromise
High Zoho-Manageengine-Opmanager-Getreportdata-SQL-Injection CVE-2021-41288 HTTP_CRL-Zoho-Manageengine-Opmanager-Getreportdata-SQL-Injection Suspected Compromise
High Delta-Industrial-Automation-Diaenergie-Handlerenergytype.aspx-SQL-Injection CVE-2021-38390 HTTP_CRL-Delta-Industrial-Automation-Diaenergie-Handlerenergytype.aspx-SQL-Injection Suspected Compromise

Updated detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High HP-Data-Protector-Multiple-Products-Finishedcopy-SQL-Injection CVE-2011-3162 HTTP_CS-HP-Data-Protector-Multiple-Products-Finishedcopy-SQL-Injection Suspected Compromise
Fingerprint regexp changed
High HP-Data-Protector-Multiple-Products-Requestcopy-SQL-Injection CVE-2011-3158 HTTP_CS-HP-Data-Protector-Multiple-Products-Requestcopy-SQL-Injection Suspected Compromise
Fingerprint regexp changed
High HP-Data-Protector-Multiple-Products-LogClientInstallation-SQL-Injection CVE-2011-3156 HTTP_CS-HP-Data-Protector-Multiple-Products-LogClientInstallation-SQL-Injection Suspected Compromise
Fingerprint regexp changed
High SAP-Netweaver-Information-Disclosure CVE-2013-3319 HTTP_CS-SAP-Netweaver-Information-Disclosure Suspected Compromise
Fingerprint regexp changed
High MirrorBlast-Malware-Infection-Traffic No CVE/CAN HTTP_CS-MirrorBlast-Malware-Infection-Traffic Suspected Botnet
Fingerprint regexp changed

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Apache-HTTP-Server-Path-Traversal-CVE-2021-41773 CVE-2021-41773 HTTP_CSU-Apache-HTTP-Server-Path-Traversal-CVE-2021-41773 Suspected Compromise
Description has changed

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High RevCode-RAT-C2-Traffic No CVE/CAN HTTP_CRL-RevCode-RAT-C2-Traffic Suspected Botnet
Fingerprint regexp changed

Identified Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Microsoft-MSHTML-CVE-2021-40444-Remote-Code-Execution CVE-2021-40444 File-TextId_Microsoft-MSHTML-CVE-2021-40444-Remote-Code-Execution Suspected Compromise
Fingerprint regexp changed

LIST OF OTHER CHANGES:

New objects:

TypeName
CategorySchneider Electric Struxureware Data Center Expert
IPListMicrosoft Azure service for PowerPlatformInfra

Updated objects:

TypeNameChanges
SituationURLList 2855526
Detection mechanism updated
SituationURLList for LogicBox-CRM
Detection mechanism updated
SituationURLList for RumbleTalk
Detection mechanism updated
SituationURLList for Pastel-My-Business-Online
Detection mechanism updated
SituationURLList for Intrix-Project
Detection mechanism updated
SituationURLList for Connect2Field---Job-Management-Software
Detection mechanism updated
SituationURLList for BillQuick
Detection mechanism updated
SituationURLList for Gem-Accounts
Detection mechanism updated
SituationURLList for Twinfield-Online-Accounting
Detection mechanism updated
SituationURLList for Purchase-Control
Detection mechanism updated
IPListAmazon AMAZON
IPListAmazon S3
IPListAmazon EC2
IPListTOR relay nodes IP Address List
IPListMicrosoft Azure datacenter for centralus
IPListMicrosoft Azure datacenter for eastus2
IPListMicrosoft Azure datacenter for japaneast
IPListMicrosoft Azure datacenter for southcentralus
IPListMicrosoft Azure datacenter for southeastasia
IPListMicrosoft Azure datacenter for uksouth
IPListMicrosoft Azure datacenter for ukwest
IPListMicrosoft Azure datacenter for westus
IPListMicrosoft Azure datacenter
IPListZscaler IP Address List
IPListAmazon AMAZON ap-south-2
IPListAmazon EC2 ap-south-2
IPListAmazon AMAZON ap-northeast-1
IPListAmazon EC2 me-central-1
IPListAmazon AMAZON me-central-1
IPListAmazon S3 ap-northeast-1
IPListAmazon AMAZON eu-central-2
IPListAmazon EC2 eu-central-2
IPListBotnet IP Address List
IPListMalicious Site IP Address List
IPListAmazon AMAZON ap-southeast-1
IPListAmazon S3 ap-southeast-1
IPListAmazon AMAZON eu-west-2
IPListAmazon AMAZON us-east-1
IPListAmazon EC2 us-east-1
IPListAmazon AMAZON us-west-1
IPListAmazon S3 us-west-1
IPListMicrosoft Azure datacenter for southafricanorth
IPListMicrosoft Azure service for AzureCloud
IPListMicrosoft Azure service for AzureMonitor
IPListMicrosoft Azure service for Sql
IPListMicrosoft Azure datacenter for westus3
IPListAmazon EC2 ap-southeast-4
IPListAmazon AMAZON ap-southeast-4
SituationHTTP_CSU-Shared-Variables
ApplicationYonyx-Interactive-Guides
Description has changed
ApplicationSwiftKanban
Description has changed
ApplicationPanTerra
Description has changed
ApplicationMSK-Digital-ID
Description has changed
ApplicationSupeRep
Description has changed
ApplicationxRP
Description has changed
ApplicationAppforma-Always-Marketing
Description has changed
ApplicationAccumulus-Subscription-and-Usage-Billing
Description has changed
ApplicationComarch-Loyalty-Management
Description has changed
ApplicationCollabSpot
Description has changed
ApplicationEazeWork
Description has changed
ApplicationKumoTeam
Description has changed
ApplicationGroupDocs-Document-Manipulation-APIs
Description has changed
ApplicationVBVoice
Description has changed
ApplicationETran
Description has changed
ApplicationWFMwizard
Description has changed
ApplicationLEADSExplorer
Description has changed
ApplicationApptivo-Financials
Description has changed
ApplicationRSA-eBusiness
Description has changed
ApplicationEnterprise-Business-Software
Description has changed

HOW TO IMPORT AND ACTIVATE THE DYNAMIC UPDATE PACKAGE

  1. Download the dynamic update package, then make sure that the checksums for the original files and the files that you have downloaded match.
  2. In the Management Client, select Menu > File > Import > Import Update Packages.
  3. Browse to the file, select it, then click Import.
  4. Select  Configuration, then browse to Administration > Other Elements > Updates.
  5. Right-click the imported dynamic update package, then select Activate.
  6. When the activation is finished, refresh the policy on all NGFW Engines. If your policy uses a custom template, you might need to edit the policy.

DISCLAIMER AND COPYRIGHT

Copyright © 2021 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.