Release notes for update package 1498-5242

This update package improves the detection capabilities of the Forcepoint NGFW system.

RELEASE DATE:    Monday August 29, 2022
MD5 CHECKSUM:    a009e39848d0629980369c9de00b1a8a
SHA1 CHECKSUM:    eb2db088284c38a6a11e0e06b5149beea593c0a3
SHA256 CHECKSUM:    274763ea583f24ef5c41699bf10dedda198b93298cf841473cae8dc3e5d6e43a

UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Forcepoint NGFW Security Management Center:    6.5.1.10631
- Forcepoint NGFW:    6.3.1.19034

List of detected attacks in this update package:

Risk levelDescriptionReferenceVulnerability
High     An attempt to exploit a vulnerability in Dolibarr ERP and CRM Suite detected     CVE-2021-33816     Dolibarr-ERP-And-CRM-Suite-Website-Command-Injection
High     An attempt to exploit a vulnerability in Zimbra Collaboration detected     CVE-2022-27924     Zimbra-Collaboration-Memcached-Command-Injection-CVE-2022-27924
High     An attempt to exploit a vulnerability in Zimbra Collaboration detected     CVE-2022-27924     Zimbra-Collaboration-Memcached-Command-Injection-CVE-2022-27924
High     An attempt to exploit a vulnerability in Atlassian JIRA detected     CVE-2022-36801     Atlassian-JIRA-Server-And-Data-Center-Planurl-Reflected-Cross-Site-Scripting
High     An attempt to exploit a vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE) detected     CVE-2022-2185     Gitlab-Project-Import-Command-Injection
High     An attempt to exploit a vulnerability in Ivanti Avalanche detected     CVE-2022-36974     Ivanti-Avalanche-Web-File-Server-Insecure-Deserialization
High     An attempt to exploit a vulnerability in Zimbra Collaboration detected     CVE-2022-27924     Zimbra-Collaboration-Memcached-Command-Injection-CVE-2022-27924

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Dolibarr-ERP-And-CRM-Suite-Website-Command-Injection CVE-2021-33816 HTTP_CS-Dolibarr-ERP-And-CRM-Suite-Website-Command-Injection Suspected Compromise
High Zimbra-Collaboration-Memcached-Command-Injection-CVE-2022-27924 CVE-2022-27924 HTTP_CS-Zimbra-Collaboration-Memcached-Command-Injection-In-Authorization-Header-CVE-2022-27924 Suspected Compromise

TCP Client Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Ivanti-Avalanche-Web-File-Server-Insecure-Deserialization CVE-2022-36974 Generic_CS-Ivanti-Avalanche-Web-File-Server-Insecure-Deserialization Suspected Compromise

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Zimbra-Collaboration-Memcached-Command-Injection-CVE-2022-27924 CVE-2022-27924 HTTP_CSU-Zimbra-Collaboration-Memcached-Command-Injection-In-Query-CVE-2022-27924 Suspected Compromise
High Atlassian-JIRA-Server-And-Data-Center-Planurl-Reflected-Cross-Site-Scripting CVE-2022-36801 HTTP_CSU-Atlassian-JIRA-Server-And-Data-Center-Planurl-Reflected-Cross-Site-Scripting Suspected Compromise

HTTP Request Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Zimbra-Collaboration-Memcached-Command-Injection-CVE-2022-27924 CVE-2022-27924 HTTP_CSH-Zimbra-Collaboration-Memcached-Command-Injection-In-CookieCVE-2022-27924 Suspected Compromise

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Gitlab-Project-Import-Command-Injection CVE-2022-2185 File-Text_Gitlab-Project-Import-Command-Injection Suspected Compromise

Updated detected attacks:

TCP Client Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Tsunami-Linux-Trojan-Infection-Traffic No CVE/CAN Generic_CS-Tsunami-Linux-Trojan-Infection-Traffic Botnet
Fingerprint regexp changed

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
Critical Apache-Struts-Wildcard-Matching-OGNL-Code-Execution CVE-2013-2134 HTTP_CSU-Suspicious-OGNL-Expression-2 Compromise
Severity: 7->10
Category tag situation Compromise added
Category tag situation Suspected Compromise removed

HTTP Request Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Ruckus-Iot-Controller-Web-UI-Authentication-Bypass-Vulnerability CVE-2020-26879 HTTP_CRH-Ruckus-Iot-Controller-Web-UI-Authentication-Bypass-Vulnerability Suspected Compromise
Fingerprint regexp changed
High Bazar-Loader-Backdoor-Malware-Infection-Traffic No CVE/CAN HTTP_CSH-Bazar-Loader-Backdoor-Malware-Infection-Traffic Suspected Botnet
Fingerprint regexp changed
High D-Link-Backdoor-CVE-2013-6026 CVE-2013-6026 HTTP_CSH-D-Link-Backdoor-CVE-2013-6026 Suspected Compromise
Fingerprint regexp changed
High OneDev-Platform-Attachmentuploadservet-Insecure-Deserialization CVE-2021-21242 HTTP_CSH-OneDev-Platform-Attachmentuploadservet-Insecure-Deserialization Suspected Compromise
Detection mechanism updated
High F5-iControl-Rest-Unauthenticated-RCE-CVE-2021-22986 CVE-2021-22986 HTTP_CSH-F5-iControl-Rest-Unauthenticated-RCE-CVE-2021-22986 Suspected Compromise
Detection mechanism updated
High Apache-Pulsar-JSON-Web-Token-Authentication-Bypass CVE-2021-22160 HTTP_CSH-Apache-Pulsar-JSON-Web-Token-Authentication-Bypass Suspected Compromise
Fingerprint regexp changed
High IcedID-Trojan-Infection-Traffic No CVE/CAN HTTP_CSH-IcedID-Trojan-Infection-Traffic Suspected Botnet
Fingerprint regexp changed
High Realtek-SDK-UPnP-Callback-Stack-Buffer-Overflow-CVE-2021-35392 CVE-2021-35392 HTTP_CSH-Realtek-SDK-UPnP-Callback-Stack-Buffer-Overflow-CVE-2021-35392 Suspected Compromise
Fingerprint regexp changed
High Apache-Shiro-Remote-Code-Execution CVE-2016-4437 HTTP_CSH-Apache-Shiro-Remote-Code-Execution Potential Compromise
Detection mechanism updated
High Zeppelin-Ransomware-Infection-Traffic No CVE/CAN HTTP_CSH-Zeppelin-Ransomware-Infection-Traffic Botnet
Fingerprint regexp changed
High Lighttpd-Mod_Extforward-Plugin-Mod_extforward_Forwarded-Denial-Of-Service CVE-2022-22707 HTTP_CSH-Lighttpd-Mod_Extforward-Plugin-Mod_extforward_Forwarded-Denial-Of-Service Suspected Compromise
Fingerprint regexp changed
High Citrix-NetScaler-SD-WAN-CGISESSID-Command-Execution-CVE-2017-6316 CVE-2017-6316 HTTP_CSH-Citrix-NetScaler-SD-WAN-CGISESSID-Command-Execution-CVE-2017-6316 Suspected Compromise
Fingerprint regexp changed

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Dolibarr-ERP-And-CRM-Suite-Website-Command-Injection CVE-2021-33816 HTTP_CRL-Dolibarr-ERP-And-CRM-Suite-Website-Command-Injection Suspected Compromise
Fingerprint regexp changed
High Advantech-Iview-NetworkServlet-BackupDatabase-Backup_Filename-Command-Injection CVE-2022-2143 HTTP_CRL-Advantech-Iview-NetworkServlet-BackupDatabase-Backup_Filename-Command-Injection Suspected Compromise
Fingerprint regexp changed

Identified Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Wecon-LeviStudioU-Alarm-Tag-WordAddr-Stack-Buffer-Overflow No CVE/CAN File-TextId_Wecon-LeviStudioU-Alarm-Tag-WordAddr-Stack-Buffer-Overflow Suspected Compromise
Fingerprint regexp changed

LIST OF OTHER CHANGES:

New objects:

TypeName
ApplicationMicrosoft-Intune

Updated objects:

TypeNameChanges
ApplicationTeamViewer
Application detection context content changed
IPListIraq
IPListSaudi Arabia
IPListIran
IPListCyprus
IPListArmenia
IPListSeychelles
IPListQatar
IPListBahrain
IPListUnited Arab Emirates
IPListIsrael
IPListTurkey
IPListEgypt
IPListGreece
IPListEstonia
IPListLatvia
IPListLithuania
IPListFinland
IPListUkraine
IPListHungary
IPListBulgaria
IPListPoland
IPListRomania
IPListKosovo
IPListMauritius
IPListSouth Africa
IPListPakistan
IPListBangladesh
IPListIndia
IPListNepal
IPListVietnam
IPListThailand
IPListIndonesia
IPListTaiwan
IPListPhilippines
IPListMalaysia
IPListChina
IPListHong Kong
IPListCambodia
IPListSouth Korea
IPListJapan
IPListSingapore
IPListRussia
IPListAustralia
IPListNew Zealand
IPListPortugal
IPListNigeria
IPListSpain
IPListDenmark
IPListUnited Kingdom
IPListSwitzerland
IPListSweden
IPListNetherlands
IPListAustria
IPListBelgium
IPListGermany
IPListLuxembourg
IPListIreland
IPListFrance
IPListLiechtenstein
IPListSlovakia
IPListCzechia
IPListNorway
IPListItaly
IPListSlovenia
IPListCroatia
IPListBarbados
IPListGuyana
IPListFrench Guiana
IPListSuriname
IPListBrazil
IPListJamaica
IPListDominican Republic
IPListCuba
IPListMartinique
IPListTrinidad and Tobago
IPListSt Kitts and Nevis
IPListDominica
IPListAruba
IPListBritish Virgin Islands
IPListSt Vincent and Grenadines
IPListGuadeloupe
IPListGrenada
IPListCayman Islands
IPListEl Salvador
IPListGuatemala
IPListHonduras
IPListNicaragua
IPListCosta Rica
IPListVenezuela
IPListEcuador
IPListColombia
IPListPanama
IPListHaiti
IPListArgentina
IPListPeru
IPListMexico
IPListPuerto Rico
IPListCanada
IPListUnited States
IPListSerbia
IPListTOR exit nodes IP Address List
IPListAmazon AMAZON
IPListAmazon EC2
IPListTOR relay nodes IP Address List
IPListBotnet IP Address List
IPListMalicious Site IP Address List
IPListAmazon AMAZON ap-south-1
IPListAmazon AMAZON eu-central-1
IPListAmazon EC2 eu-central-1
IPListAmazon AMAZON me-south-1
IPListAmazon EC2 me-south-1
IPListAmazon AMAZON us-east-1
SituationHTTP_CSU-Shared-Variables

HOW TO IMPORT AND ACTIVATE THE DYNAMIC UPDATE PACKAGE

  1. Download the dynamic update package, then make sure that the checksums for the original files and the files that you have downloaded match.
  2. In the Management Client, select Menu > File > Import > Import Update Packages.
  3. Browse to the file, select it, then click Import.
  4. Select  Configuration, then browse to Administration > Other Elements > Updates.
  5. Right-click the imported dynamic update package, then select Activate.
  6. When the activation is finished, refresh the policy on all NGFW Engines. If your policy uses a custom template, you might need to edit the policy.

DISCLAIMER AND COPYRIGHT

Copyright © 2022 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.