Release notes for update package 1621-5242

This update package improves the detection capabilities of the Forcepoint NGFW system.

RELEASE DATE:    Tuesday August 15, 2023
MD5 CHECKSUM:    90c9b64d419612b270e54ea6bc9b43ca
SHA1 CHECKSUM:    e713f3f7bdbdad0260bc8161d6c2b1109d9ce1d8
SHA256 CHECKSUM:    3543941922ac126f886628c3dfca41f19deda7da94df43072ef49c4d3e588d74

UPDATE CRITICALITY:    CRITICAL

MINIMUM SOFTWARE VERSIONS
- Forcepoint NGFW Security Management Center:    6.5.1.10631
- Forcepoint NGFW:    6.5.1.21108

List of detected attacks in this update package:

Risk levelDescriptionReferenceVulnerability
Critical     An attempt to exploit a vulnerability in Citrix detected     CVE-2019-19781     Citrix-Path-Traversal-CVE-2019-19781
High     An attempt to exploit a vulnerability in Microsoft Exchange Server detected     CVE-2021-27065     Microsoft-Exchange-CVE-2021-27065-Arbitrary-File-Write
High     An attempt to exploit a vulnerability in Zoho Corporation ManageEngine ADSelfService Plus detected     CVE-2021-40539     Zoho-Manageengine-Adselfservice-Plus-Authentication-Bypass
High     An attempt to exploit a vulnerability in Adobe ColdFusion detected     CVE-2023-29298     Adobe-ColdFusion-Improper-Access-Control-Vulnerability-CVE-2023-29298
High     An attempt to exploit a vulnerability in SonicWall Analytics detected     CVE-2023-34127     SonicWall-Gms-And-Analytics-Searchfilter-Command-Injection
High     An attempt to exploit a vulnerability in Zabbix detected     CVE-2023-29452     Zabbix-Geomap-Stored-Cross-Site-Scripting
High     An attempt to exploit a vulnerability in SonicWall Analytics detected     CVE-2023-34133     SonicWall-Gms-And-Analytics-Detectinjection-SQL-Injection
High     An attempt to exploit a vulnerability in SonicWall Analytics detected     CVE-2023-34133     SonicWall-Gms-And-Analytics-Detectinjection-SQL-Injection
High     An attempt to exploit a vulnerability in XWiki.org XWiki detected     CVE-2023-35166     Xwiki-Tipspanel-XWiki.uiextensionclass-Code-Injection
High     An attempt to exploit a vulnerability in Django Software Foundation Django detected     CVE-2023-23969     Django-Parse_accept_Lang_Header-Accept-Language-Resource-Exhaustion
High     An attempt to exploit a vulnerability in SonicWall Analytics detected     CVE-2023-34133     SonicWall-Gms-And-Analytics-Detectinjection-SQL-Injection

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Microsoft-Exchange-CVE-2021-27065-Arbitrary-File-Write CVE-2021-27065 HTTP_CS-Microsoft-Exchange-CVE-2021-27065-Arbitrary-File-Write-2 Suspected Compromise

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Zoho-Manageengine-Adselfservice-Plus-Authentication-Bypass CVE-2021-40539 HTTP_CSU-Zoho-Manageengine-Adselfservice-Plus-Authentication-Bypass Potential Compromise
High Adobe-ColdFusion-Improper-Access-Control-Vulnerability-CVE-2023-29298 CVE-2023-29298 HTTP_CSU-Adobe-ColdFusion-Improper-Access-Control-Vulnerability-CVE-2023-29298-2 Potential Compromise

HTTP Request Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
Critical Citrix-Path-Traversal-CVE-2019-19781 CVE-2019-19781 HTTP_CRH-Citrix-Path-Traversal-CVE-2019-19781-2 Compromise
High Django-Parse_accept_Lang_Header-Accept-Language-Resource-Exhaustion CVE-2023-23969 HTTP_CSH-Django-Parse_accept_Lang_Header-Accept-Language-Resource-Exhaustion Suspected Compromise
High SonicWall-Gms-And-Analytics-Detectinjection-SQL-Injection CVE-2023-34133 HTTP_CSH-SonicWall-Gms-And-Analytics-Detectinjection-SQL-Injection Suspected Compromise

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High SonicWall-Gms-And-Analytics-Searchfilter-Command-Injection CVE-2023-34127 HTTP_CSU-SonicWall-Gms-And-Analytics-Searchfilter-Command-Injection Suspected Compromise
High Zabbix-Geomap-Stored-Cross-Site-Scripting CVE-2023-29452 HTTP_CRL-Zabbix-Geomap-Stored-Cross-Site-Scripting Suspected Compromise
High SonicWall-Gms-And-Analytics-Detectinjection-SQL-Injection CVE-2023-34133 HTTP_CRL-SonicWall-Gms-And-Analytics-Detectinjection-Security-Filter-Bypass Potential Compromise
High SonicWall-Gms-And-Analytics-Detectinjection-SQL-Injection CVE-2023-34133 HTTP_CRL-SonicWall-Gms-And-Analytics-Detectinjection-SQL-Injection Suspected Compromise
High Xwiki-Tipspanel-XWiki.uiextensionclass-Code-Injection CVE-2023-35166 HTTP_CRL-Xwiki-Tipspanel-XWiki.uiextensionclass-Code-Injection Suspected Compromise

Updated detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Apache-Tomcat-Manager-Authenticated-Upload-Code-Execution CVE-2010-4094 HTTP_CS-Apache-Tomcat-Manager-Authenticated-Upload-Code-Execution Potential Compromise
Fingerprint regexp changed
Critical Microsoft-Exchange-CVE-2021-27065-Arbitrary-File-Write CVE-2021-27065 HTTP_CS-Microsoft-Exchange-CVE-2021-27065-Arbitrary-File-Write Compromise
Detection mechanism updated
High WSO2-Unrestricted-File-Upload-CVE-2022-29464 CVE-2022-29464 HTTP_CS-WSO2-Unrestricted-File-Upload-CVE-2022-29464 Suspected Compromise
Fingerprint regexp changed

TCP Client Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Measuresoft-ScadaPro-XF-Command-Execution CVE-2011-3490 Generic_CS-Measuresoft-ScadaPro-XF-Command-Execution Suspected Compromise
Fingerprint regexp changed

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High HP-Intelligent-Management-Center-Reporting-Information-Disclosure No CVE/CAN HTTP_CSU-HP-Intelligent-Management-Center-Reporting-Information-Disclosure Suspected Disclosure
Fingerprint regexp changed
High Tandberg-Video-Server-Directory-Traversal CVE-2009-4511 HTTP_CSU-Tandberg-Directory-Traversal-File-Disclosure Suspected Disclosure
Fingerprint regexp changed
Low HTTP_System-File-Access No CVE/CAN HTTP_CSU-Potential-System-File-Disclosure Potential Disclosure
Fingerprint regexp changed
High Novell-ZENworks-Asset-Management-File-Upload-Directory-Traversal CVE-2010-4229 HTTP_CSU-Novell-ZENworks-Asset-Management-File-Upload-Directory-Traversal Suspected Compromise
Fingerprint regexp changed
Critical HP-Intelligent-Management-Center-Syslogdownloadservlet-Information-Disclosure CVE-2012-5206 HTTP_CSU-HP-IMC-Syslogdownloadservlet-Information-Disclosure Compromise
Fingerprint regexp changed
High Apache-Struts-Wildcard-Matching-OGNL-Code-Execution CVE-2013-2134 HTTP_CSU-Suspicious-OGNL-Expression Suspected Compromise
Fingerprint regexp changed
Critical Pulse-Secure-SSL-VPN-Pre-Auth-Arbitrary-File-Reading CVE-2019-11510 HTTP_CSU-Pulse-Secure-SSL-VPN-Pre-Auth-Arbitrary-File-Reading Compromise
Fingerprint regexp changed
Critical SonicWall-Remote-Code-Execution-CVE-2021-20038 CVE-2021-20038 HTTP_CSU-SonicWall-Remote-Code-Execution-CVE-2021-20038 Compromise
Severity: 7->10
Category tag situation Compromise added
Category tag situation Suspected Compromise removed
Critical Apache-Struts-Wildcard-Matching-OGNL-Code-Execution CVE-2013-2134 HTTP_CSU-Suspicious-OGNL-Expression-2 Compromise
Fingerprint regexp changed
High Adobe-ColdFusion-Improper-Access-Control-Vulnerability-CVE-2023-29298 CVE-2023-29298 HTTP_CSU-Adobe-ColdFusion-Improper-Access-Control-Vulnerability-CVE-2023-29298 Suspected Compromise
Fingerprint regexp changed
High Directory-Traversal No CVE/CAN HTTP_CSU-Dot-Dot-Slash-And-Null-Byte-Sequence Attack Related Anomalies
Fingerprint regexp changed
Low Directory-Traversal No CVE/CAN HTTP_CSU-Potential-Dot-Dot-Slash-Directory-Traversal Possibly Unwanted Content
Fingerprint regexp changed
High Directory-Traversal No CVE/CAN HTTP_CSU-Dot-Dot-Slash-Directory-Traversal Potential Compromise
Name: HTTP_CSU-Dot-Dot-Slash-Dot-Dot-Slash-Dot-Dot-Directory-Traversal->HTTP_CSU-Dot-Dot-Slash-Directory-Traversal
Comment has changed
Description has changed
Fingerprint regexp changed
High HTTP_System-File-Access No CVE/CAN HTTP_CSU-System-File-Disclosure Disclosure
Fingerprint regexp changed
High Count.cgi-Vulnerabilities CVE-1999-0021 HTTP_CSU-Count-Cgi-Disclosure Disclosure
Fingerprint regexp changed

HTTP Request Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Citrix-Path-Traversal-CVE-2019-19781 CVE-2019-19781 HTTP_CRH-Citrix-Path-Traversal-CVE-2019-19781 Suspected Compromise
Fingerprint regexp changed
Critical FortiOS-Ssl-VPN-Heap-Buffer-Overflow-CVE-2022-42475 CVE-2022-42475 HTTP_CSH_FortiOS-Ssl-VPN-Heap-Buffer-Overflow-CVE-2022-42475 Compromise
Severity: 7->10
Category tag situation Compromise added
Category tag situation Suspected Compromise removed

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Citrix-Path-Traversal-CVE-2019-19781 CVE-2019-19781 HTTP_CRL-Citrix-Path-Traversal-CVE-2019-19781 Potential Compromise
Fingerprint regexp changed
High Microsoft-Exchange-Post-Auth-Arbitrary-File-Write-CVE-2021-31207 CVE-2021-31207 HTTP_CRL-Microsoft-Exchange-Post-Auth-Arbitrary-File-Write-CVE-2021-31207-2 Suspected Compromise
Detection mechanism updated
High Zoho-Manageengine-Adselfservice-Plus-Authentication-Bypass CVE-2021-40539 HTTP_CRL-Zoho-Manageengine-Adselfservice-Plus-Authentication-Bypass Suspected Compromise
Fingerprint regexp changed

Identified Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Mozilla-Firefox-XUL-menupopup.menu-Null-Pointer-Dereference-DoS CVE-2007-0775 File-TextId_Mozilla-Firefox-XUL-menupopup.menu-Null-Pointer-Dereference-DoS Suspected Denial of Service
Detection mechanism updated

LIST OF OTHER CHANGES:

New objects:

TypeName
CategorySonicWall Analytics
SituationHTTP_CSH-OWASP-CoreRule-Request-944-Application-Attack-Java-944130

Updated objects:

TypeNameChanges
IPListRwanda
IPListSomalia
IPListYemen
IPListIraq
IPListSaudi Arabia
IPListIran
IPListCyprus
IPListTanzania
IPListSyria
IPListArmenia
IPListKenya
IPListDR Congo
IPListDjibouti
IPListUganda
IPListCentral African Republic
IPListSeychelles
IPListJordan
IPListLebanon
IPListKuwait
IPListOman
IPListQatar
IPListBahrain
IPListUnited Arab Emirates
IPListIsrael
IPListTurkey
IPListEthiopia
IPListEritrea
IPListEgypt
IPListSudan
IPListGreece
IPListBurundi
IPListEstonia
IPListLatvia
IPListAzerbaijan
IPListLithuania
IPListSvalbard and Jan Mayen
IPListGeorgia
IPListMoldova
IPListBelarus
IPListFinland
IPListÅland Islands
IPListUkraine
IPListNorth Macedonia
IPListHungary
IPListBulgaria
IPListAlbania
IPListPoland
IPListRomania
IPListKosovo
IPListZimbabwe
IPListZambia
IPListComoros
IPListMalawi
IPListLesotho
IPListBotswana
IPListMauritius
IPListEswatini
IPListRéunion
IPListSouth Africa
IPListMayotte
IPListMozambique
IPListMadagascar
IPListAfghanistan
IPListPakistan
IPListBangladesh
IPListTurkmenistan
IPListTajikistan
IPListSri Lanka
IPListBhutan
IPListIndia
IPListMaldives
IPListBritish Indian Ocean Territory
IPListNepal
IPListMyanmar
IPListUzbekistan
IPListKazakhstan
IPListKyrgyzstan
IPListFrench Southern Territories
IPListHeard and McDonald Islands
IPListCocos (Keeling) Islands
IPListPalau
IPListVietnam
IPListThailand
IPListIndonesia
IPListLaos
IPListTaiwan
IPListPhilippines
IPListMalaysia
IPListChina
IPListHong Kong
IPListBrunei
IPListMacao
IPListCambodia
IPListSouth Korea
IPListJapan
IPListNorth Korea
IPListSingapore
IPListCook Islands
IPListTimor-Leste
IPListRussia
IPListMongolia
IPListAustralia
IPListChristmas Island
IPListMarshall Islands
IPListFederated States of Micronesia
IPListPapua New Guinea
IPListSolomon Islands
IPListTuvalu
IPListNauru
IPListVanuatu
IPListNew Caledonia
IPListNorfolk Island
IPListNew Zealand
IPListFiji
IPListLibya
IPListCameroon
IPListSenegal
IPListCongo Republic
IPListPortugal
IPListLiberia
IPListIvory Coast
IPListGhana
IPListEquatorial Guinea
IPListNigeria
IPListBurkina Faso
IPListTogo
IPListGuinea-Bissau
IPListMauritania
IPListBenin
IPListGabon
IPListSierra Leone
IPListSão Tomé and Príncipe
IPListGibraltar
IPListGambia
IPListGuinea
IPListChad
IPListNiger
IPListMali
IPListWestern Sahara
IPListTunisia
IPListSpain
IPListMorocco
IPListMalta
IPListAlgeria
IPListFaroe Islands
IPListDenmark
IPListIceland
IPListUnited Kingdom
IPListSwitzerland
IPListSweden
IPListNetherlands
IPListAustria
IPListBelgium
IPListGermany
IPListLuxembourg
IPListIreland
IPListMonaco
IPListFrance
IPListAndorra
IPListLiechtenstein
IPListJersey
IPListIsle of Man
IPListGuernsey
IPListSlovakia
IPListCzechia
IPListNorway
IPListVatican City
IPListSan Marino
IPListItaly
IPListSlovenia
IPListMontenegro
IPListCroatia
IPListBosnia and Herzegovina
IPListAngola
IPListNamibia
IPListSaint Helena
IPListBouvet Island
IPListBarbados
IPListCabo Verde
IPListGuyana
IPListFrench Guiana
IPListSuriname
IPListSaint Pierre and Miquelon
IPListGreenland
IPListParaguay
IPListUruguay
IPListBrazil
IPListFalkland Islands
IPListSouth Georgia and the South Sandwich Islands
IPListJamaica
IPListDominican Republic
IPListCuba
IPListMartinique
IPListBahamas
IPListBermuda
IPListAnguilla
IPListTrinidad and Tobago
IPListSt Kitts and Nevis
IPListDominica
IPListAntigua and Barbuda
IPListSaint Lucia
IPListTurks and Caicos Islands
IPListAruba
IPListBritish Virgin Islands
IPListSt Vincent and Grenadines
IPListMontserrat
IPListSaint Martin
IPListSaint Barthélemy
IPListGuadeloupe
IPListGrenada
IPListCayman Islands
IPListBelize
IPListEl Salvador
IPListGuatemala
IPListHonduras
IPListNicaragua
IPListCosta Rica
IPListVenezuela
IPListEcuador
IPListColombia
IPListPanama
IPListHaiti
IPListArgentina
IPListChile
IPListBolivia
IPListPeru
IPListMexico
IPListFrench Polynesia
IPListPitcairn Islands
IPListKiribati
IPListTokelau
IPListTonga
IPListWallis and Futuna
IPListSamoa
IPListNiue
IPListNorthern Mariana Islands
IPListGuam
IPListPuerto Rico
IPListU.S. Virgin Islands
IPListU.S. Outlying Islands
IPListAmerican Samoa
IPListCanada
IPListUnited States
IPListPalestine
IPListSerbia
IPListAntarctica
IPListSint Maarten
IPListCuraçao
IPListBonaire, Sint Eustatius, and Saba
IPListSouth Sudan
IPListTOR exit nodes IP Address List
IPListAmazon AMAZON
IPListAmazon S3
IPListAmazon EC2
IPListAkamai Servers
IPListTOR relay nodes IP Address List
IPListAmazon API_GATEWAY
IPListBotnet IP Address List
IPListMalicious Site IP Address List
IPListNordVPN Servers IP Address List
IPListAmazon S3 cn-north-1
IPListAmazon AMAZON us-east-1
IPListAmazon API_GATEWAY us-east-1
IPListAmazon AMAZON us-east-2
IPListAmazon EC2 us-east-2
SituationHTTP_CSU-Shared-Variables
SituationHTTP_CSH-Shared-Variables
Fingerprint regexp changed
SituationHTTP_CSU-Dot-Dot-Directory-Traversal
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application Any Software removed
Category tag os_not_specific Any Operating System not specific removed
Category tag application_not_specific Any Software not specific removed
Category tag situation Potential Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
SituationHTTP_CRL-Shared-Variables
SituationHTTP_CSH-Apache-Struts-Jakarta-Multipart-Parser-Remote-Code-Execution
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application Apache Struts 2 removed
Category tag group CVE2017 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Suspected Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
SituationFile-Text_Iframe-Src-From-IP-Address
Fingerprint regexp changed

HOW TO IMPORT AND ACTIVATE THE DYNAMIC UPDATE PACKAGE

  1. Download the dynamic update package, then make sure that the checksums for the original files and the files that you have downloaded match.
  2. In the Management Client, select Menu > File > Import > Import Update Packages.
  3. Browse to the file, select it, then click Import.
  4. Select  Configuration, then browse to Administration > Other Elements > Updates.
  5. Right-click the imported dynamic update package, then select Activate.
  6. When the activation is finished, refresh the policy on all NGFW Engines. If your policy uses a custom template, you might need to edit the policy.

DISCLAIMER AND COPYRIGHT

Copyright © 2023 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.