Release notes for update package 1557-5242

This update package improves the detection capabilities of the Forcepoint NGFW system.

RELEASE DATE:    Monday February 20, 2023
MD5 CHECKSUM:    6fdd877204681c1785e9d8accc4dfd2a
SHA1 CHECKSUM:    131efad538a7b5920b2bf755939304dbc4aee7d2
SHA256 CHECKSUM:    af331daae47f1376269ec8820a55b00a2aa4501bf528f1e90244d493bf2ff4f7

UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Forcepoint NGFW Security Management Center:    6.5.1.10631
- Forcepoint NGFW:    6.3.1.19034

List of detected attacks in this update package:

Risk levelDescriptionReferenceVulnerability
High     An attempt to exploit a vulnerability in Oracle E-Business Suite detected     CVE-2022-39428     Oracle-E-Business-Suite-Desktop-Integrator-Bnedecoder-Dir-Traversal
High     An attempt to exploit a vulnerability in Centreon Project Centreon Web detected     CVE-2022-42424     Centreon-Web-poller-Broker-Disablcentreonbrokerindb-SQL-Injection
High     An attempt to exploit a vulnerability in Adobe ColdFusion detected.     CVE-2022-38421     Adobe-ColdFusion-Application-Server-CVE-2022-38421-Directory-Traversal
High     An attempt to exploit a vulnerability in Apache Zeppelin detected.     CVE-2022-46870     Apache-Zeppelin-WebsocketEventFactory-Stored-Cross-Site-Scripting
High     An attempt to exploit a vulnerability in ksmbd detected.     CVE-2023-0210     Linux-Kernel-Ksmbd_Decode_NTLMSSP_Auth_Blob-Integer-Underflow
High     An attempt to exploit a vulnerability in Windows Schannel detected     CVE-2023-21818     Windows-Schannel-Denial-Of-Service-CVE-2023-21818

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Oracle-E-Business-Suite-Desktop-Integrator-Bnedecoder-Dir-Traversal CVE-2022-39428 HTTP_CS-Oracle-E-Business-Suite-Web-Applications-Desktop-Integrator-Bnedecoder-Directory-Traversal Suspected Compromise

TCP SMB Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Linux-Kernel-Ksmbd_Decode_NTLMSSP_Auth_Blob-Integer-Underflow CVE-2023-0210 SMB-TCP_Linux-Kernel-Ksmbd_Decode_NTLMSSP_Auth_Blob-Integer-Underflow Suspected Denial of Service

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Centreon-Web-poller-Broker-Disablcentreonbrokerindb-SQL-Injection CVE-2022-42424 HTTP_CRL-Centreon-Web-poller-Broker-Disablcentreonbrokerindb-SQL-Injection Suspected Compromise
High Adobe-ColdFusion-Application-Server-CVE-2022-38421-Directory-Traversal CVE-2022-38421 HTTP_CRL-Adobe-ColdFusion-Application-Server-CVE-2022-38421-Directory-Traversal Suspected Compromise
High Apache-Zeppelin-WebsocketEventFactory-Stored-Cross-Site-Scripting CVE-2022-46870 HTTP_CRL-Apache-Zeppelin-WebsocketEventFactory-Stored-Cross-Site-Scripting Suspected Compromise

TLS Server Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Windows-Schannel-Denial-Of-Service-CVE-2023-21818 CVE-2023-21818 TLS_SS-Windows-Schannel-Denial-Of-Service-CVE-2023-21818 Suspected Compromise

Updated detected attacks:

TCP Client Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Sybase-Open-Server-Function-Pointer-Array-Code-Execution No CVE/CAN Generic_CS-Sybase-Open-Server-Function-Pointer-Array-Code-Execution Potential Compromise
Category tag situation Potential Compromise added
Category tag situation Suspected Compromise removed
Fingerprint regexp changed

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High GoAnywhere-MFT-Remote-Code-Execution-CVE-2023-0669 CVE-2023-0669 HTTP_CRL-GoAnywhere-MFT-Remote-Code-Execution-CVE-2023-0669 Suspected Compromise
Description has changed
Fingerprint regexp changed

TLS Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Windows-Schannel-Denial-Of-Service-Vulnerability-CVE-2023-21819 CVE-2023-21819 TLS_CS_Windows-Schannel-Denial-Of-Service-Vulnerability-CVE-2023-21819 Suspected Compromise
Category tag group MS2023-02 added

TLS Server Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Windows-CryptoAPI-Spoofing-Vulnerability-CVE-2022-34689 CVE-2022-34689 TLS_SS_Windows-CryptoAPI-Spoofing-Vulnerability-CVE-2022-34689 Potential Compromise
Detection mechanism updated

Identified Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Oracle-E-Business-Suite-Arbitrary-File-Upload-CVE-2022-21587 CVE-2022-21587 File-TextId_Oracle-E-Business-Suite-Arbitrary-File-Upload-CVE-2022-21587 Suspected Compromise
Description has changed
High Microsoft-Exchange-Unsafe-Deserialization-CVE-2023-21529 CVE-2023-21529 File-TextId_Microsoft-Exchange-Unsafe-Deserialization-CVE-2023-21529 Suspected Compromise
Category tag group MS2023-02 added
High Microsoft-Exchange-Unsafe-Deserialization-CVE-2023-21706 CVE-2023-21706 File-TextId_Microsoft-Exchange-Unsafe-Deserialization-CVE-2023-21706 Suspected Compromise
Category tag group MS2023-02 added

Generic IP Fingerprinting Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Microsoft-PEAP-Heap-Overflow-Vulnerability-CVE-2023-21689 CVE-2023-21689 IPv4_Microsoft-PEAP-Heap-Overflow-Vulnerability-CVE-2023-21689 Suspected Compromise
Category tag group MS2023-02 added
High Microsoft-PEAP-Heap-Overflow-Vulnerability-CVE-2023-21690 CVE-2023-21690 IPv4_Microsoft-PEAP-Heap-Overflow-Vulnerability-CVE-2023-21690 Suspected Compromise
Category tag group MS2023-02 added

LIST OF OTHER CHANGES:

New objects:

TypeName
CategoryApache Zeppelin
CategoryMS2023-02
IPListMicrosoft Azure service for Marketplace
IPListAmazon CLOUDFRONT me-central-1
IPListAmazon CLOUDFRONT ap-southeast-3
Sandbox ServiceForcepoint AMDP Europe datacenter
Sandbox ServiceForcepoint AMDP Europe
Sandbox ServiceForcepoint AMDP North America data center
Sandbox ServiceForcepoint AMDP Automatic data center
Sandbox ServiceForcepoint AMDP North America
Sandbox ServiceForcepoint AMDP Automatic
TLSProfileForcepoint AMDP service TLS Profile

Updated objects:

TypeNameChanges
IPListSaudi Arabia
IPListIran
IPListCyprus
IPListTanzania
IPListKenya
IPListCentral African Republic
IPListSeychelles
IPListQatar
IPListBahrain
IPListUnited Arab Emirates
IPListIsrael
IPListTurkey
IPListGreece
IPListEstonia
IPListLatvia
IPListAzerbaijan
IPListLithuania
IPListGeorgia
IPListBelarus
IPListFinland
IPListUkraine
IPListHungary
IPListBulgaria
IPListPoland
IPListRomania
IPListRéunion
IPListSouth Africa
IPListPakistan
IPListBangladesh
IPListIndia
IPListNepal
IPListMyanmar
IPListUzbekistan
IPListKazakhstan
IPListKyrgyzstan
IPListVietnam
IPListThailand
IPListIndonesia
IPListTaiwan
IPListPhilippines
IPListMalaysia
IPListChina
IPListHong Kong
IPListBrunei
IPListSouth Korea
IPListJapan
IPListSingapore
IPListRussia
IPListMongolia
IPListAustralia
IPListPapua New Guinea
IPListNew Zealand
IPListLibya
IPListCameroon
IPListPortugal
IPListNigeria
IPListBenin
IPListChad
IPListSpain
IPListMalta
IPListDenmark
IPListIceland
IPListUnited Kingdom
IPListSwitzerland
IPListSweden
IPListNetherlands
IPListAustria
IPListBelgium
IPListGermany
IPListLuxembourg
IPListIreland
IPListFrance
IPListAndorra
IPListLiechtenstein
IPListJersey
IPListIsle of Man
IPListSlovakia
IPListCzechia
IPListNorway
IPListVatican City
IPListItaly
IPListSlovenia
IPListMontenegro
IPListCroatia
IPListGuyana
IPListFrench Guiana
IPListBrazil
IPListDominican Republic
IPListBritish Virgin Islands
IPListBelize
IPListHonduras
IPListCosta Rica
IPListVenezuela
IPListColombia
IPListPanama
IPListArgentina
IPListChile
IPListPeru
IPListMexico
IPListTonga
IPListPuerto Rico
IPListU.S. Virgin Islands
IPListCanada
IPListUnited States
IPListSerbia
IPListAntarctica
IPListTOR exit nodes IP Address List
IPListAmazon AMAZON
IPListAmazon S3
IPListAmazon EC2
IPListAmazon CLOUDFRONT
IPListAkamai Servers
IPListMicrosoft Azure datacenter for australiasoutheast
IPListMicrosoft Azure datacenter for brazilsouth
IPListMicrosoft Azure datacenter for canadacentral
IPListTOR relay nodes IP Address List
IPListMicrosoft Azure datacenter for canadaeast
IPListMicrosoft Azure datacenter for centralindia
IPListMicrosoft Azure datacenter for centraluseuap
IPListMicrosoft Azure datacenter for centralus
IPListMicrosoft Azure datacenter for eastasia
IPListMicrosoft Azure datacenter for eastus2euap
IPListMicrosoft Azure datacenter for eastus2
IPListMicrosoft Azure datacenter for eastus
IPListMicrosoft Azure datacenter for centralfrance
IPListMicrosoft Azure datacenter for japaneast
IPListMicrosoft Azure datacenter for japanwest
IPListMicrosoft Azure datacenter for koreacentral
IPListNetflix Servers
IPListMicrosoft Azure datacenter for koreasouth
IPListMicrosoft Azure datacenter for northcentralus
IPListMicrosoft Azure datacenter for northeurope
IPListMicrosoft Azure datacenter for southcentralus
IPListMicrosoft Azure datacenter for southindia
IPListMicrosoft Azure datacenter for southeastasia
IPListMicrosoft Azure datacenter for uksouth
IPListMicrosoft Azure datacenter for ukwest
IPListMicrosoft Azure datacenter for westcentralus
IPListMicrosoft Azure datacenter for westeurope
IPListMicrosoft Azure datacenter for westindia
IPListMicrosoft Azure datacenter for westus2
IPListMicrosoft Azure datacenter for westus
IPListMicrosoft Azure datacenter
IPListZscaler IP Address List
IPListAmazon AMAZON ap-south-2
IPListAmazon AMAZON ap-northeast-1
IPListAmazon AMAZON me-central-1
IPListAmazon S3 ap-northeast-1
IPListAmazon AMAZON eu-south-2
IPListAmazon AMAZON eu-central-2
IPListBotnet IP Address List
IPListMalicious Site IP Address List
IPListMicrosoft Azure service for MicrosoftDefenderForEndpoint
IPListAmazon AMAZON eu-west-1
IPListAmazon AMAZON eu-west-2
IPListAmazon S3 eu-west-2
IPListAmazon AMAZON us-east-1
IPListAmazon EC2 us-east-1
IPListAmazon AMAZON us-east-2
IPListAmazon AMAZON us-west-1
IPListAmazon EC2 us-west-1
IPListAmazon AMAZON us-west-2
IPListAmazon AMAZON eu-south-1
IPListAmazon S3 eu-south-1
IPListMicrosoft Azure datacenter for australiacentral
IPListMicrosoft Azure datacenter for germanywc
IPListMicrosoft Azure datacenter for norwaye
IPListMicrosoft Azure datacenter for southafricanorth
IPListMicrosoft Azure datacenter for southafricawest
IPListMicrosoft Azure datacenter for switzerlandn
IPListMicrosoft Azure datacenter for uaecentral
IPListMicrosoft Azure datacenter for uaenorth
IPListMicrosoft Azure service for AppService
IPListMicrosoft Azure service for AzureActiveDirectory_ServiceEndpoint
IPListMicrosoft Azure service for AzureCloud
IPListMicrosoft Azure service for AzureCosmosDB
IPListMicrosoft Azure service for AzureMachineLearning
IPListMicrosoft Azure service for AzureMonitor
IPListMicrosoft Azure service for DataFactory
IPListMicrosoft Azure service for DataFactoryManagement
IPListMicrosoft Azure service for MicrosoftCloudAppSecurity
IPListMicrosoft Azure service for PowerBI
IPListMicrosoft Azure service for Sql
IPListMicrosoft Azure datacenter for westus3
IPListMicrosoft Azure service for EOPExternalPublishedIPs
IPListAmazon AMAZON ap-southeast-4
IPListMicrosoft Azure service for ChaosStudio
SituationConnection_Deep-Inspection-Off
Description has changed
SituationHTTP_CSU-Shared-Variables
SituationHTTP_CSH-Shared-Variables
Fingerprint regexp changed

HOW TO IMPORT AND ACTIVATE THE DYNAMIC UPDATE PACKAGE

  1. Download the dynamic update package, then make sure that the checksums for the original files and the files that you have downloaded match.
  2. In the Management Client, select Menu > File > Import > Import Update Packages.
  3. Browse to the file, select it, then click Import.
  4. Select  Configuration, then browse to Administration > Other Elements > Updates.
  5. Right-click the imported dynamic update package, then select Activate.
  6. When the activation is finished, refresh the policy on all NGFW Engines. If your policy uses a custom template, you might need to edit the policy.

DISCLAIMER AND COPYRIGHT

Copyright © 2023 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.