Release notes for update package 1429-5242

Rolling DFA upgrades

Starting from dynamic update 1393, the handling of situations appearing in multiple contexts is improved. To avoid the same traffic data to be matched against multiple DFA's, all DFA's are being modified. When large number of DFAs change at the same time, the temporary memory requirement during a policy installation or refresh increases. To avoid not enough available memory on low end NGFW appliances these changes on DFA's are implemented gradually over the course of 10 dynamic update packages. With low end NGFW appliances, especially N110 and N115, it is recommended to upgrade to NGFW version 6.8.2 or higher to better address new policy when there is not enough memory for both old and new policy. A large number of DFAs might change at the same time if there is a large gap between activating dynamic update packages and the subsequent policy refresh.

See knowledge base article 18570.

This update package improves the detection capabilities of the Forcepoint NGFW system.

RELEASE DATE:    Thursday January 27, 2022
MD5 CHECKSUM:    360a1762b909755148167baf2a26242d
SHA1 CHECKSUM:    133339a1242b0ae3484b79009afd2f97b821e3e3
SHA256 CHECKSUM:    afdb52123bdf4c76d7c8f783a652c79383340e7e40cbd15fe1e2062a4eafea99

UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Forcepoint NGFW Security Management Center:    6.5.1.10631
- Forcepoint NGFW:    6.3.1.19034

List of detected attacks in this update package:

Risk levelDescriptionReferenceVulnerability
High     An attempt to exploit a vulnerability in SonicWall detected     CVE-2021-20038     SonicWall-Remote-Code-Execution-CVE-2021-20038
High     An attempt to exploit a vulnerability in October CMS detected     CVE-2021-32648     October-CMS-Unauthorized-Password-Change-CVE-2021-32648
High     An attempt to exploit a vulnerability in Commvault CommCell detected     CVE-2021-34995     Commvault-Commcell-Downloadcenteruploadhandler-Arbitrary-File-Upload
High     An attempt to exploit a vulnerability in H2 Database Project H2 Database detected     CVE-2021-42392     H2-Database-Console-Jdbcutils-JNDI-Injection
High     An attempt to exploit a vulnerability in Ivanti Avalanche detected     CVE-2021-42132     Ivanti-Avalanche-Printerdeviceserver-Service-Command-Injection
High     An attempt to exploit a vulnerability in Lighttpd Project Lighttpd detected     CVE-2022-22707     Lighttpd-Mod_Extforward-Plugin-Mod_extforward_Forwarded-Denial-Of-Service
High     An attempt to exploit a vulnerability in Commvault CommCell detected     CVE-2021-34995     Commvault-Commcell-Downloadcenteruploadhandler-Arbitrary-File-Upload
Low     Decimal encoded JavaScript detected     No CVE/CAN JavaScript-Obfuscation

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

TCP Client Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Ivanti-Avalanche-Printerdeviceserver-Service-Command-Injection CVE-2021-42132 Generic_CS-Ivanti-Avalanche-Printerdeviceserver-Service-Command-Injection Suspected Compromise

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High SonicWall-Remote-Code-Execution-CVE-2021-20038 CVE-2021-20038 HTTP_CSU-SonicWall-Remote-Code-Execution-CVE-2021-20038 Suspected Compromise

HTTP Request Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Lighttpd-Mod_Extforward-Plugin-Mod_extforward_Forwarded-Denial-Of-Service CVE-2022-22707 HTTP_CSH-Lighttpd-Mod_Extforward-Plugin-Mod_extforward_Forwarded-Denial-Of-Service Suspected Compromise

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Commvault-Commcell-Downloadcenteruploadhandler-Arbitrary-File-Upload CVE-2021-34995 HTTP_CRL-Commvault-Commcell-Downloadcenteruploadhandler-Arbitrary-File-Upload Suspected Compromise
High H2-Database-Console-Jdbcutils-JNDI-Injection CVE-2021-42392 HTTP_CRL-H2-Database-Console-Jdbcutils-JNDI-Injection Suspected Compromise

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
Low JavaScript-Obfuscation No CVE/CAN File-Text_Decimal-Encoded-JavaScript-2 Possibly Unwanted Content
High October-CMS-Unauthorized-Password-Change-CVE-2021-32648 CVE-2021-32648 File-Text_October-CMS-Unauthorized-Password-Change-CVE-2021-32648 Suspected Compromise

Identified Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Commvault-Commcell-Downloadcenteruploadhandler-Arbitrary-File-Upload CVE-2021-34995 File-TextId_Commvault-Commcell-Downloadcenteruploadhandler-Arbitrary-File-Upload Suspected Compromise

Updated detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
Critical Log4j-Remote-Code-Execution CVE-2021-44228 HTTP_CS_Log4j-Remote-Code-Execution-Evasion Suspected Compromise
Fingerprint regexp changed

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Grafana-HS-Pluginmarkdown-Directory-Traversal CVE-2021-43813 HTTP_CSU-Grafana-HS-Pluginmarkdown-Directory-Traversal Suspected Compromise
Description has changed

HTTP Request Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High HTTP_Protocol_Stack_Remote_Code_Execution_Vulnerability_CVE-2022-21907 CVE-2022-21907 HTTP_CRH-HTTP_Protocol_Stack_Remote_Code_Execution_Vulnerability_CVE-2021-31166 Suspected Compromise
Description has changed
Category tag group MS2022-01 added
Category tag group CVE2022 added
High HTTP_Protocol_Stack_Remote_Code_Execution_Vulnerability_CVE-2022-21907 CVE-2022-21907 HTTP_CRH-Microsoft-IIS-HTTP-Protocol-Stack-Remote-Code-Execution Suspected Compromise
Description has changed
Category tag group MS2022-01 added
Category tag group CVE2022 added

IP Option Detection

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
Low VxWorks-Stack-Overflow-Vulnerability-CVE-2019-12256 CVE-2019-12256 IP Option Loose Source Route Malicious Routing
Description has changed
Low VxWorks-Stack-Overflow-Vulnerability-CVE-2019-12256 CVE-2019-12256 IP Option Strict Source Route Malicious Routing
Description has changed

UDP without parameters

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
Low Samba-Nmbd-Sys_recvfrom-Infinite-Loop-Denial-Of-Service CVE-2014-0244 UDP_Checksum-Mismatch Invalid Packet
Description has changed

TCP without parameters

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
Low TCP_Linux-Kernel-Firewall-Logging-Denial-Of-Service CVE-2004-0816 TCP_Header-Length-Error Invalid Packet
Description has changed
Low FreeBSD-TCP-Reassembly-Denial-Of-Service CVE-2014-3000 TCP_Segment-Invalid Probe
Description has changed

IP without parameters

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
Moderate ICMP-Microsoft-Windows-Kernel-ICMP-Fragmented-Packet-DOS CVE-2007-0066 IP_Fragment-Invalid-Size Invalid Packet
Description has changed
Moderate Microsoft-Windows-IP-Validation-Vulnerability CVE-2005-0048 IP_Option-Too-Long Compromise
Description has changed
Low Red-Hat-Netkvm-Virtio-Win-GetXxpHeaderAndPayloadLen-Integer-Underflow CVE-2015-3215 IP_Length-Total-Error Invalid Packet
Description has changed
Low Microsoft-Windows-IPv6-Router-Advertisement-Stack-Buffer-Overflow CVE-2010-0239 IP_Length-Inconsistency Protocol Violations
Description has changed
Moderate Linux-Kernel-IPv6-Netfilter-Nf_CT_frag6_reasm-Null-Pointer-Dereference-DoS CVE-2012-2744 IP_Fragment-Size-Zero Invalid Packet
Description has changed
Low Microsoft-TCP-IP-Remote-Code-Execution-CVE-2021-24074 CVE-2021-24074 IP_Options-Malformed Invalid Packet
Description has changed

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
Critical Log4j-Remote-Code-Execution CVE-2021-44228 HTTP_CRL-Log4j-Remote-Code-Execution Suspected Compromise
Fingerprint regexp changed

Non-ratebased DoS attacks

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
Moderate ICMP-DoS-Jolt-Vulnerability CVE-1999-0345 DOS_JOLT Invalid Packet DoS
Description has changed
Moderate Windows_Xp_2003_Land_Attack_DoS CVE-2005-0688 DOS_LAND Invalid Packet DoS
Description has changed
Moderate IP-Nestea-IP-Fragmentation-Denial-Of-Service CVE-1999-0257 DOS_NESTEA Invalid Packet DoS
Description has changed
Moderate IP-Newtear-IP-Fragmentation-Denial-Of-Service No CVE/CAN DOS_NEWTEAR Invalid Packet DoS
Description has changed
Moderate IP-Teardrop-DoS CVE-1999-0015 DOS_TEARDROP Invalid Packet DoS
Description has changed
Moderate WinNuke-DoS CVE-1999-0153 DOS_WINNUKE Inspection
Description has changed
Moderate IP-UDP-Saihyousen-Denial-Of-Service No CVE/CAN DOS_SAIHYOUSEN Invalid Packet DoS
Description has changed
Moderate IP-Oshare-Bogus-IP-Fragmentation-DoS CVE-1999-0357 DOS_OSHARE Invalid Packet DoS
Description has changed
Moderate IP-Bonk-IP-Fragmentation-Denial-Of-Service CVE-1999-0258 DOS_BONK Invalid Packet DoS
Description has changed
Moderate IP-ICMP-1234.c-DoS No CVE/CAN DOS_1234 Invalid Packet DoS
Description has changed

IPv6 without parameters

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
Low Microsoft-TCP-IP-Denial-Of-Service-CVE-2021-24086 CVE-2021-24086 IPv6_Routing-header-type-unknown Invalid Packet
Description has changed
Low Red-Hat-Netkvm-Virtio-Win-GetXxpHeaderAndPayloadLen-Integer-Underflow CVE-2015-3215 IPv6_Extension-headers-incomplete Invalid Packet
Description has changed
Moderate Microsoft-TCP-IP-Denial-Of-Service-CVE-2021-24086 CVE-2021-24086 IPv6_Option-misaligned Invalid Packet
Description has changed
Low Microsoft-TCP-IP-Remote-Code-Execution-CVE-2021-24094 CVE-2021-24094 IPv6_Atomic-Fragment Invalid Packet
Description has changed
Low Microsoft-TCP-IP-Denial-Of-Service-CVE-2021-24086 CVE-2021-24086 IPv6_Invalid-Type0-Routing-Header Invalid Packet
Description has changed

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High JavaScript-Obfuscation No CVE/CAN File-Text_Decimal-Encoded-JavaScript Suspected Attack Related Anomalies
Fingerprint regexp changed

LIST OF OTHER CHANGES:

New objects:

TypeName
CategoryH2 Database
CategoryMS2022
CategoryMS2022-01
CategoryCVE2022
Network ElementDNS Google
Network ElementDNS Cloudflare
Network ElementDNS Quad9

Updated objects:

TypeNameChanges
IPListTOR exit nodes IP Address List
IPListAmazon AMAZON
IPListAmazon S3
IPListAmazon EC2
IPListGoogle Servers
IPListAmazon CLOUDFRONT
IPListAkamai Servers
IPListMicrosoft Azure datacenter for canadacentral
IPListTOR relay nodes IP Address List
IPListMicrosoft Azure datacenter for centralindia
IPListMicrosoft Azure datacenter for eastus2
IPListMicrosoft Azure datacenter for centralfrance
IPListMicrosoft Azure datacenter for northeurope
IPListMicrosoft Azure datacenter for southcentralus
IPListMicrosoft Azure datacenter for southindia
IPListMicrosoft Azure datacenter for westus
IPListMicrosoft Azure datacenter
IPListAmazon AMAZON ap-south-2
IPListBotnet IP Address List
IPListMalicious Site IP Address List
IPListAmazon AMAZON ap-south-1
IPListAmazon EC2 ap-south-1
IPListAmazon AMAZON ap-southeast-2
IPListAmazon S3 eu-north-1
IPListAmazon AMAZON eu-west-1
IPListAmazon AMAZON eu-west-3
IPListAmazon AMAZON us-east-1
IPListAmazon S3 us-east-1
IPListAmazon AMAZON us-east-2
IPListAmazon AMAZON us-west-2
IPListAmazon EC2 us-west-2
IPListMicrosoft Azure service for AppConfiguration
IPListMicrosoft Azure service for AppServiceManagement
IPListMicrosoft Azure service for AzureAdvancedThreatProtection
IPListMicrosoft Azure service for AzureBackup
IPListMicrosoft Azure service for AzureCloud
IPListMicrosoft Azure service for AzureContainerRegistry
IPListMicrosoft Azure service for AzureCosmosDB
IPListMicrosoft Azure service for AzureDataExplorerManagement
IPListMicrosoft Azure service for AzureFrontDoor_FirstParty
IPListMicrosoft Azure service for AzureIoTHub
IPListMicrosoft Azure service for AzureKeyVault
IPListMicrosoft Azure service for AzureMachineLearning
IPListMicrosoft Azure service for AzureMonitor
IPListMicrosoft Azure service for AzureMonitor_Core
IPListMicrosoft Azure service for AzureSiteRecovery
IPListMicrosoft Azure service for CognitiveServicesManagement
IPListMicrosoft Azure service for DataFactory
IPListMicrosoft Azure service for DataFactoryManagement
IPListMicrosoft Azure service for EventHub
IPListMicrosoft Azure service for GuestAndHybridManagement
IPListMicrosoft Azure service for LogicApps
IPListMicrosoft Azure service for MicrosoftContainerRegistry
IPListMicrosoft Azure service for ServiceBus
IPListMicrosoft Azure service for ServiceFabric
IPListMicrosoft Azure service for Sql
IPListMicrosoft Azure service for SqlManagement
IPListMicrosoft Azure service for EOPExternalPublishedIPs
IPListMicrosoft Azure datacenter for isrealcentral
IPListMicrosoft Azure datacenter for polandcentral
ReportInspected Connection Trends by Action (Counters)
ReportLog Trends by Data Type (Counters)
ReportAllowed Traffic Trends by Sender (Counters)
ReportVPN Traffic Trends (Counters)
ReportPacket Drop Trends by Sender (Counters)
SituationIPv4_Version-Not-4
Description has changed
SituationUDP_Packet-Too-Short
Description has changed
SituationUDP_Packet-Too-Long
Description has changed
SituationUDP_Packet-Length-Inconsistency
Description has changed
SituationIP_Checksum-Mismatch
Description has changed
SituationIP_Datagram-Fragments-Flags-Conflict
Description has changed
SituationIP_Fragments-Size-Conflict
Description has changed
SituationIP_Fragment-Offset-Overflow
Description has changed
SituationIP_Header-Length-Error
Description has changed
SituationIP_Options-Unused
Description has changed
SituationIP_Option-Too-Short
Description has changed
SituationIP_Addresses-Same
Description has changed
SituationIP_Time-To-Live-Zero
Description has changed
SituationICMP_Checksum-Mismatch
Description has changed
SituationICMP_Message-Empty
Description has changed
SituationICMP_Message-Too-Short
Description has changed
SituationTCP_Checksum-Mismatch
Description has changed
SituationTCP_Option-Invalid
Description has changed
SituationTCP_Option-Unknown
Description has changed
SituationTCP_Option-Unsupported
Description has changed
SituationIP Option Record Route
Description has changed
SituationDOS_SYNDROP
Description has changed
SituationDOS_LINUX_ICMP
Description has changed
SituationGRE_Header-Short
Description has changed
SituationGRE-unknown-version
Description has changed
SituationGRE_Checksum-Mismatch
Description has changed
SituationGRE_Tunnel-Other-Protocol
Description has changed
SituationGRE_Keepalive
Description has changed
SituationIP-Multicast-Source
Description has changed
SituationTunneling Level Limit Exceeded
Description has changed
SituationIPv6_Hop-Limit-Zero
Description has changed
SituationIPv6_Version-Not-6
Description has changed
SituationICMP_IP_ver-not-4
Description has changed
SituationIPv6_Extension-header-recommended-order-inconsistency
Description has changed
SituationIPv6_Routing-header-type-0
Description has changed
SituationIPv6_Extension-header-length-inconsistency
Description has changed
SituationIPv6_Routing-segments-left-inconsistency
Description has changed
SituationIPv6_Option-data-length-incorrect
Description has changed
SituationIPv6_Option-not-allowed-in-hop-by-hop-options
Description has changed
SituationIPv6_Option-not-allowed-in-destination-options
Description has changed
SituationIPv6_Authentication-header-length-incorrect
Description has changed
SituationIPv6_Recursive-Fragmentation
Description has changed
SituationIPv6_Invalid-Hop-by-Hop-Header-Position
Description has changed
SituationIPv6_Reassembled-Payload-Too-Large
Description has changed
SituationIPv6_Invalid-Home-Address-Option
Description has changed
SituationIPv6_Fragment-Size-Zero
Description has changed
SituationIPv6_Invalid-Quick-Start-Option
Description has changed
SituationIPv6_Invalid-Mobility-Header
Description has changed
SituationIPv6_Mobility-Header-Invalid-Nexthdr
Description has changed
SituationIPv6_Mobility-Header-Unknown-Type
Description has changed
SituationIPv6_Invalid-Jumbo-Payload-Option
Description has changed
SituationIPv6_Invalid-Type2-Routing-Header
Description has changed
SituationIPv6_Fragment-Invalid-Size
Description has changed
SituationTCP_Segment-SYN-No-Options
Description has changed
SituationIP_Fragment-Time-To-Live-Varies
Description has changed
SituationIPv6_Loopback-Address
Description has changed
SituationIPIP_Header-Short
Description has changed
SituationIPIPv6_Header-Short
Description has changed
SituationGRE_PPTP-Version
Description has changed
SituationICMPv6_IP_ver-not-6
Description has changed
SituationHTTP_CSU-Shared-Variables
SituationHTTP_SHS-Acceptable-Long-Headers
Fingerprint regexp changed
SituationHTTP_CRL-Openemr-Download_Template-Directory-Traversal
Description has changed
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application OpenEMR Development Team OpenEMR removed
Category tag group CVE2019 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Suspected Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
SituationHTTP_CRL-rConfig-Compliancepolicies-PHP-SQL-Injection
Description has changed
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application rConfig removed
Category tag group CVE2020 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Suspected Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed

HOW TO IMPORT AND ACTIVATE THE DYNAMIC UPDATE PACKAGE

  1. Download the dynamic update package, then make sure that the checksums for the original files and the files that you have downloaded match.
  2. In the Management Client, select Menu > File > Import > Import Update Packages.
  3. Browse to the file, select it, then click Import.
  4. Select  Configuration, then browse to Administration > Other Elements > Updates.
  5. Right-click the imported dynamic update package, then select Activate.
  6. When the activation is finished, refresh the policy on all NGFW Engines. If your policy uses a custom template, you might need to edit the policy.

DISCLAIMER AND COPYRIGHT

Copyright © 2022 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.