Release notes for update package 1476-5242

This update package improves the detection capabilities of the Forcepoint NGFW system.

RELEASE DATE:    Wednesday June 08, 2022
MD5 CHECKSUM:    308c1aba33b05f1e4dc18338f7373e66
SHA1 CHECKSUM:    2be3af46410affde035763871f72c43cb10cdc6d
SHA256 CHECKSUM:    2196891327189ed31360d02754b589b791e8421b2abdff52114dca9660aa9a1f

UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Forcepoint NGFW Security Management Center:    6.5.1.10631
- Forcepoint NGFW:    6.3.1.19034

List of detected attacks in this update package:

Risk levelDescriptionReferenceVulnerability
High     An attempt to exploit a vulnerability in KeySight N6854A and N6841A RF detected     CVE-2022-1660     Keysight-N6854a-And-N6841a-RF-Sensor-Insecure-Deserialization

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Keysight-N6854a-And-N6841a-RF-Sensor-Insecure-Deserialization CVE-2022-1660 HTTP_CS-Keysight-N6854a-And-N6841a-RF-Sensor-Insecure-Deserialization Suspected Compromise

Updated detected attacks:

TCP PPTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Microsoft-Windows-PPTP-CVE-2022-23270 CVE-2022-23270 PPTP_Windows-CVE-2022-23270 Suspected Compromise
Category tag group MS2022-05 added

TCP Client Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Redis-Lua-Sandbox-Escape-CVE-2022-0543 CVE-2022-0543 Generic_CS-Redis-Lua-Sandbox-Escape-CVE-2022-0543 Suspected Compromise
Fingerprint regexp changed

TCP Server Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Microsoft-Windows-NFS-CVE-2022-26937 CVE-2022-26937 SunRPC_TCP-Windows-NFS-CVE-2022-26937 Suspected Compromise
Category tag group MS2022-05 added

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Sitecore-XP-Insecure-Deserialization CVE-2021-42237 HTTP_CSU-Sitecore-XP-Insecure-Deserialization Suspected Compromise
Description has changed
Category tag group CVE2021 added

HTTP Request Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
Low Apache-Byte-Range-Filter-Denial-Of-Service CVE-2005-2728 HTTP_CSH-Apache-Byte-Range-Filter-Denial-Of-Service Potential Denial of Service
Fingerprint regexp changed
High Apache-Httpd-Range-Header-Field-Memory-Exhaustion CVE-2011-3192 HTTP_CSH-Apache-Httpd-Range-Header-Field-Memory-Exhaustion Potential Compromise
Fingerprint regexp changed
High Squid-Range-Header-Denial-Of-Service CVE-2014-3609 HTTP_CSH-Squid-Range-Header-Denial-Of-Service Suspected Compromise
Fingerprint regexp changed
High Oracle-Application-Testing-Suite-Uploadservlet-Filename-Directory-Traversal CVE-2016-0490 HTTP_CSH-Oracle-Application-Testing-Suite-Uploadservlet-Filename-Directory-Traversal Suspected Compromise
Fingerprint regexp changed
High Squid-Proxy-Range-Header-DoS CVE-2021-31806 HTTP_CSH-Squid-Proxy-Range-Header-DoS Suspected Denial of Service
Fingerprint regexp changed

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High ocPortal-Arbitrary-File-Inclusion No CVE/CAN HTTP_CRL-ocPortal-Arbitrary-File-Inclusion-Vulnerability Suspected Compromise
Detection mechanism updated
High PhpFileManager-Cmd-Parameter-Command-Execution No CVE/CAN HTTP_CRL-PhpFileManager-Cmd-Parameter-Command-Execution Suspected Compromise
Fingerprint regexp changed
High Novell-ZENworks-Mobile-Management-Cross-Site-Scripting No CVE/CAN HTTP_CRL-Novell-ZENworks-Mobile-Management-Cross-Site-Scripting Suspected Compromise
Description has changed
Attacker: connection_destination->connection_source
Victim: connection_source->connection_destination
Fingerprint regexp changed

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Malicious-Obfuscation-JavaScript-VBScript-HTML No CVE/CAN File-Text_Malicious-Obfuscated-JavaScript-VBScript-Detected Suspected Attack Related Anomalies
Fingerprint regexp changed
High Suspicious-MSDT-URI-Scheme-In-HTML CVE-2022-30190 File-Text_Suspicious-MSDT-URI-Scheme-In-HTML Suspected Compromise
Fingerprint regexp changed
High Windows-VBScript-Engine-Remote-Code-Execution-Vulnerability-CVE-2018-8625 CVE-2018-8625 File-Text_Windows-VBScript-Engine-Remote-Code-Execution-Vulnerability-CVE-2018-8625 Suspected Compromise
Category tag group MS2018-12 added
High Microsoft-Edge-Scripting-Engine-Memory-Corruption-CVE-2018-8643 CVE-2018-8643 File-Text_Microsoft-Intenet-Explorer-Scripting-Engine-Memory-Corruption-CVE-2018-8643 Suspected Compromise
Category tag group MS2018-12 added
High Internet-Explorer-Remote-Code-Execution-Vulnerability-CVE-2018-8653 CVE-2018-8653 File-Text_Internet-Explorer-Remote-Code-Execution-Vulnerability-CVE-2018-8653 Suspected Compromise
Category tag group MS2018-12 added
High Microsoft-Edge-Remote-Code-Execution-CVE-2019-0541 CVE-2019-0541 File-Text_Microsoft-Edge-Remote-Code-Execution-CVE-2019-0541 Potential Compromise
Category tag group MS2019-01 added
High Microsoft-Edge-Scripting-Engine-Memory-Corruption-CVE-2019-0565 CVE-2019-0565 File-Text_Microsoft-Edge-Scripting-Engine-Memory-Corruption-CVE-2019-0565 Potential Compromise
Category tag group MS2019-01 added
High Microsoft-Edge-Scripting-Engine-Memory-Corruption-CVE-2019-0568 CVE-2019-0568 File-Text_Microsoft-Edge-Scripting-Engine-Memory-Corruption-CVE-2019-0568 Potential Compromise
Category tag group MS2019-01 added
High Microsoft-Edge-Scripting-Engine-Memory-Corruption-CVE-2019-0539 CVE-2019-0539 File-Text_Microsoft-Edge-Scripting-Engine-Memory-Corruption-CVE-2019-0539 Potential Compromise
Category tag group MS2019-01 added

Other Binary File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Microsoft-Windows-Devicemetadata-Path-Traversal No CVE/CAN File-Binary_Microsoft-Windows-Devicemetadata-Path-Traversal Potential Compromise
Category tag group MS2019-01 added

Identified Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Internet-Explorer-Remote-Code-Execution-Vulnerability-CVE-2018-8619 CVE-2018-8619 File-TextId_Internet-Explorer-Remote-Code-Execution-Vulnerability-CVE-2018-8619 Suspected Compromise
Category tag group MS2018-12 added
High Microsoft-MSHTML-CVE-2021-40444-Remote-Code-Execution CVE-2021-40444 File-TextId_Microsoft-MSHTML-CVE-2021-40444-Remote-Code-Execution Suspected Compromise
Description has changed

Executable File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Microsoft-Edge-Elevation-of-Privilege-CVE-2019-0566 CVE-2019-0566 File-Exe_Microsoft-Edge-Elevation-of-Privilege-CVE-2019-0566 Potential Compromise
Category tag group MS2019-01 added

LIST OF OTHER CHANGES:

New objects:

TypeName
CategoryKeySight N6854A and N6841A RF
CategoryMS2018-12
CategoryMS2019-01
CategoryMS2022-05

Updated objects:

TypeNameChanges
IPListSomalia
IPListYemen
IPListIraq
IPListSaudi Arabia
IPListIran
IPListCyprus
IPListTanzania
IPListArmenia
IPListKenya
IPListUganda
IPListSeychelles
IPListJordan
IPListKuwait
IPListOman
IPListQatar
IPListBahrain
IPListUnited Arab Emirates
IPListIsrael
IPListTurkey
IPListEgypt
IPListGreece
IPListEstonia
IPListLatvia
IPListLithuania
IPListGeorgia
IPListMoldova
IPListBelarus
IPListFinland
IPListÅland
IPListUkraine
IPListNorth Macedonia
IPListHungary
IPListBulgaria
IPListAlbania
IPListPoland
IPListRomania
IPListKosovo
IPListZimbabwe
IPListZambia
IPListBotswana
IPListMauritius
IPListRéunion
IPListSouth Africa
IPListMayotte
IPListMozambique
IPListMadagascar
IPListAfghanistan
IPListPakistan
IPListBangladesh
IPListTurkmenistan
IPListSri Lanka
IPListIndia
IPListMaldives
IPListNepal
IPListMyanmar
IPListUzbekistan
IPListKazakhstan
IPListKyrgyzstan
IPListVietnam
IPListThailand
IPListIndonesia
IPListTaiwan
IPListPhilippines
IPListMalaysia
IPListChina
IPListHong Kong
IPListBrunei
IPListMacao
IPListCambodia
IPListSouth Korea
IPListJapan
IPListSingapore
IPListRussia
IPListMongolia
IPListAustralia
IPListPapua New Guinea
IPListVanuatu
IPListNew Zealand
IPListFiji
IPListLibya
IPListCameroon
IPListSenegal
IPListPortugal
IPListIvory Coast
IPListGhana
IPListNigeria
IPListTogo
IPListMauritania
IPListBenin
IPListGabon
IPListSierra Leone
IPListGibraltar
IPListChad
IPListTunisia
IPListSpain
IPListMalta
IPListDenmark
IPListIceland
IPListUnited Kingdom
IPListSwitzerland
IPListSweden
IPListNetherlands
IPListAustria
IPListBelgium
IPListGermany
IPListLuxembourg
IPListIreland
IPListFrance
IPListLiechtenstein
IPListJersey
IPListGuernsey
IPListSlovakia
IPListCzechia
IPListNorway
IPListItaly
IPListSlovenia
IPListCroatia
IPListBosnia and Herzegovina
IPListNamibia
IPListBarbados
IPListCabo Verde
IPListFrench Guiana
IPListParaguay
IPListUruguay
IPListBrazil
IPListJamaica
IPListDominican Republic
IPListMartinique
IPListBahamas
IPListBermuda
IPListSt Kitts and Nevis
IPListDominica
IPListAntigua and Barbuda
IPListSaint Lucia
IPListTurks and Caicos Islands
IPListAruba
IPListBritish Virgin Islands
IPListMontserrat
IPListSaint Martin
IPListSaint Barthélemy
IPListGuadeloupe
IPListGrenada
IPListCayman Islands
IPListBelize
IPListEl Salvador
IPListGuatemala
IPListHonduras
IPListNicaragua
IPListCosta Rica
IPListVenezuela
IPListEcuador
IPListColombia
IPListPanama
IPListHaiti
IPListArgentina
IPListChile
IPListBolivia
IPListPeru
IPListMexico
IPListSamoa
IPListGuam
IPListPuerto Rico
IPListU.S. Virgin Islands
IPListCanada
IPListUnited States
IPListSerbia
IPListSint Maarten
IPListCuraçao
IPListTOR exit nodes IP Address List
IPListMicrosoft Azure datacenter for australiaeast
IPListMicrosoft Azure datacenter for brazilsouth
IPListTOR relay nodes IP Address List
IPListMicrosoft Azure datacenter for eastasia
IPListMicrosoft Azure datacenter for eastus2euap
IPListMicrosoft Azure datacenter for eastus2
IPListMicrosoft Azure datacenter for eastus
IPListMicrosoft Azure datacenter for southcentralus
IPListMicrosoft Azure datacenter for southindia
IPListMicrosoft Azure datacenter for westeurope
IPListMicrosoft Azure datacenter for westus
IPListMicrosoft Azure datacenter
IPListBotnet IP Address List
IPListMalicious Site IP Address List
IPListMicrosoft Azure service for AzureArcInfrastructure
IPListMicrosoft Azure service for AzureCloud
IPListMicrosoft Azure service for AzureSignalR
IPListMicrosoft Azure service for AzureTrafficManager
IPListMicrosoft Azure service for EventHub
IPListMicrosoft Azure service for AzureUpdateDelivery
IPListMicrosoft Azure datacenter for usstagee
IPListMicrosoft Azure service for EOPExternalPublishedIPs
IPListMicrosoft Azure datacenter for spaincentral
SituationHTTP_CSH-Shared-Variables
Fingerprint regexp changed
SituationHTTP_CSH-Long-Range-Or-Range-Request-Header
Fingerprint regexp changed
SituationHTTP_CRL-Shared-Variables
Fingerprint regexp changed

HOW TO IMPORT AND ACTIVATE THE DYNAMIC UPDATE PACKAGE

  1. Download the dynamic update package, then make sure that the checksums for the original files and the files that you have downloaded match.
  2. In the Management Client, select Menu > File > Import > Import Update Packages.
  3. Browse to the file, select it, then click Import.
  4. Select  Configuration, then browse to Administration > Other Elements > Updates.
  5. Right-click the imported dynamic update package, then select Activate.
  6. When the activation is finished, refresh the policy on all NGFW Engines. If your policy uses a custom template, you might need to edit the policy.

DISCLAIMER AND COPYRIGHT

Copyright © 2022 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.