Release notes for update package 1625-5242

This update package improves the detection capabilities of the Forcepoint NGFW system.

RELEASE DATE:    Tuesday August 29, 2023
MD5 CHECKSUM:    3330adda2f5874d28dc5441d129592de
SHA1 CHECKSUM:    3269d8f51b70aab8817af0bee577169dc87f3b0f
SHA256 CHECKSUM:    3402c375c616a93e63a33e8e009b154490a803ef9a825189cb3754a510fa250e

UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Forcepoint NGFW Security Management Center:    6.5.1.10631
- Forcepoint NGFW:    6.5.1.21108

List of detected attacks in this update package:

Risk levelDescriptionReferenceVulnerability
High     An attempt to exploit a vulnerability in Ivanti Avalanche detected     CVE-2023-32563     Ivanti-Avalanche-Remote-Control-Server-Updateskin-Directory-Traversal
High     An attempt to exploit a vulnerability in WooCommerce-Payments plugin for Wordpress detected     CVE-2023-28121     Wordpress-Plugin-Woocommerce-Payments-Unauthenticated-Admin-Creation
High     An attempt to exploit a vulnerability in SonicWall Analytics detected     CVE-2023-34133     SonicWall-Gms-And-Analytics-Detectinjection-SQL-Injection
High     An attempt to exploit a vulnerability in SonicWall Analytics detected     CVE-2023-34133     SonicWall-Gms-And-Analytics-Detectinjection-SQL-Injection
High     An attempt to exploit a vulnerability in Ignite Realtime OpenFire detected     CVE-2023-32315     OpenFire-Path-Traversal-Via-Setup-Environment-CVE-2023-32315
High     An attempt to exploit a vulnerability in Adobe Systems ColdFusion detected     CVE-2023-26361     Adobe-ColdFusion-Application-Server-CVE-2023-26361-Directory-Traversal
High     An attempt to exploit a vulnerability in wpForo WordPress plugin detected     CVE-2023-2249     WpForo-Wordpress-Plugin-LFI-SSRF-CVE-2023-2249
High     An attempt to exploit a vulnerability in RoundCube Webmail detected     CVE-2020-12641     Roundcube-Webmail-RCE-Via-Config-Setting-CVE-2020-12641
High     An attempt to exploit a vulnerability in Piwigo detected     CVE-2023-26876     Piwigo-CVE-2023-26876-Gather-Credentials-Via-SQL-Injection
High     An attempt to exploit a vulnerability in SolarView Compact detected     CVE-2023-23333     Solarview-Compact-Command-Injection-CVE-2023-23333
High     An attempt to exploit a vulnerability in Dolibarr detected     No CVE/CAN Dolibarr-16-Pre-Auth-Contact-Database-Dump
High     An attempt to exploit a vulnerability in Apache Druid detected     CVE-2023-25194     Apache-Druid-JNDI-Injection-RCE
High     An attempt to exploit a vulnerability in VMWare vCenter Server detected     CVE-2023-20894     VMware-Vcenter-Server-Authentication-Pointer-Out-of-Range-CVE-2023-20894
High     An attempt to exploit a vulnerability in Siemens Tecnomatix Plant Simulation detected     CVE-2023-27404     Siemens-Tecnomatix-Plant-Simulation-Spp-File-Parsing-Stack-Buffer-Overflow
High     An attempt to exploit a vulnerability in Softing edgeAggregator detected     CVE-2023-38126     Softing-Edgeaggregator-Restore-Configuration-Directory-Traversal

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Ivanti-Avalanche-Remote-Control-Server-Updateskin-Directory-Traversal CVE-2023-32563 HTTP_CS-Ivanti-Avalanche-Remote-Control-Server-Updateskin-Directory-Traversal Suspected Compromise
High Wordpress-Plugin-Woocommerce-Payments-Unauthenticated-Admin-Creation CVE-2023-28121 HTTP_CS-Wordpress-Plugin-Woocommerce-Payments-Unauthenticated-Admin-Creation Suspected Compromise

TCP Client Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High VMware-Vcenter-Server-Authentication-Pointer-Out-of-Range-CVE-2023-20894 CVE-2023-20894 Generic_CS-VMware-Vcenter-Server-Authentication-Pointer-Out-of-Range-CVE-2023-20894 Suspected Compromise

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High SonicWall-Gms-And-Analytics-Detectinjection-SQL-Injection CVE-2023-34133 HTTP_CSU-SonicWall-Gms-And-Analytics-Detectinjection-Potential-SQL-Injection Potential Compromise
High SonicWall-Gms-And-Analytics-Detectinjection-SQL-Injection CVE-2023-34133 HTTP_CSU-SonicWall-Gms-And-Analytics-Detectinjection-SQL-Injection Suspected Compromise
High OpenFire-Path-Traversal-Via-Setup-Environment-CVE-2023-32315 CVE-2023-32315 HTTP_CSU-OpenFire-Path-Traversal-Via-Setup-Environment-CVE-2023-32315 Suspected Compromise

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Adobe-ColdFusion-Application-Server-CVE-2023-26361-Directory-Traversal CVE-2023-26361 HTTP_CRL-Adobe-ColdFusion-Application-Server-CVE-2023-26361-Directory-Traversal Suspected Compromise
High WpForo-Wordpress-Plugin-LFI-SSRF-CVE-2023-2249 CVE-2023-2249 HTTP_CRL-WpForo-Wordpress-Plugin-LFI-SSRF-CVE-2023-2249 Suspected Compromise
High Roundcube-Webmail-RCE-Via-Config-Setting-CVE-2020-12641 CVE-2020-12641 HTTP_CRL-Roundcube-Webmail-ECE-Via-Config-Setting-CVE-2020-12641 Suspected Compromise
High Piwigo-CVE-2023-26876-Gather-Credentials-Via-SQL-Injection CVE-2023-26876 HTTP_CRL-Piwigo-CVE-2023-26876-Gather-Credentials-Via-SQL-Injection Suspected Disclosure
High Solarview-Compact-Command-Injection-CVE-2023-23333 CVE-2023-23333 HTTP_CRL-Solarview-Compact-Command-Injection-CVE-2023-23333 Suspected Compromise
High Dolibarr-16-Pre-Auth-Contact-Database-Dump No CVE/CAN HTTP_CRL-Dolibarr-16-Pre-Auth-Contact-Database-Dump Suspected Disclosure
High Apache-Druid-JNDI-Injection-RCE CVE-2023-25194 HTTP_CRL-Apache-Druid-JNDI-Injection-RCE Suspected Compromise

OLE File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Siemens-Tecnomatix-Plant-Simulation-Spp-File-Parsing-Stack-Buffer-Overflow CVE-2023-27404 File-OLE_Siemens-Tecnomatix-Plant-Simulation-Spp-File-Parsing-Stack-Buffer-Overflow Suspected Compromise

Archive type identification from member names

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Softing-Edgeaggregator-Restore-Configuration-Directory-Traversal CVE-2023-38126 File-Member-Name_Softing-Edgeaggregator-Restore-Configuration-Directory-Traversal Suspected Compromise

Updated detected attacks:

TCP Client Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Apache-Couchdb-Erlang-RCE CVE-2022-24706 Generic_CS-Apache-Couchdb-Erlang-RCE Suspected Compromise
Fingerprint regexp changed

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Directory-Traversal No CVE/CAN HTTP_CSU-Dot-Dot-Slash-And-Null-Byte-Sequence Attack Related Anomalies
Detection mechanism updated
High Directory-Traversal No CVE/CAN HTTP_CSU-Potential-Dot-Dot-Slash-Directory-Traversal Potential Compromise
Name: HTTP_CSU-Dot-Dot-Slash-Directory-Traversal->HTTP_CSU-Potential-Dot-Dot-Slash-Directory-Traversal
Fingerprint regexp changed

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Advantech-Iview-Configurationservlet-Column_Value-SQL-Injection CVE-2022-3323 HTTP_CRL-Advantech-Iview-Configurationservlet-Column_Value-SQL-Injection Suspected Compromise
Description has changed
Fingerprint regexp changed

Archive type identification from member names

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
Critical Zimbra-Collaboration-Mboximport-Directory-Traversal-CVE-2022-27925 CVE-2022-27925 File-Member-Name_Zimbra-Collaboration-Mboximport-Directory-Traversal-CVE-2022-27925 Compromise
Fingerprint regexp changed

LIST OF OTHER CHANGES:

New objects:

TypeName
CategoryPiwigo
CategoryWooCommerce-Payments Plugin
CategorySofting edgeAggregator
CategorySiemens Tecnomatix Plant Simulation
Certificate AuthorityBJCA Global Root CA1
Certificate AuthorityBJCA Global Root CA2
Certificate AuthoritySectigo Public Server Authentication Root E46
Certificate AuthoritySectigo Public Server Authentication Root R46
Certificate AuthoritySSL.com TLS RSA Root CA 2022
Certificate AuthoritySSL.com TLS ECC Root CA 2022
Certificate AuthorityAtos TrustedRoot Root CA ECC TLS 2021
Certificate AuthorityAtos TrustedRoot Root CA RSA TLS 2021
VPN ProfileiOS Suite - iOS 14 and later

Updated objects:

TypeNameChanges
IPListIraq
IPListSaudi Arabia
IPListIran
IPListArmenia
IPListKenya
IPListDR Congo
IPListSeychelles
IPListJordan
IPListLebanon
IPListKuwait
IPListQatar
IPListBahrain
IPListUnited Arab Emirates
IPListIsrael
IPListTurkey
IPListEgypt
IPListGreece
IPListEstonia
IPListLatvia
IPListLithuania
IPListGeorgia
IPListMoldova
IPListFinland
IPListUkraine
IPListHungary
IPListBulgaria
IPListPoland
IPListRomania
IPListComoros
IPListMauritius
IPListEswatini
IPListSouth Africa
IPListPakistan
IPListBangladesh
IPListIndia
IPListMaldives
IPListNepal
IPListMyanmar
IPListUzbekistan
IPListKazakhstan
IPListVietnam
IPListThailand
IPListIndonesia
IPListLaos
IPListTaiwan
IPListPhilippines
IPListMalaysia
IPListChina
IPListHong Kong
IPListCambodia
IPListSouth Korea
IPListJapan
IPListNorth Korea
IPListSingapore
IPListTimor-Leste
IPListRussia
IPListAustralia
IPListNew Zealand
IPListSenegal
IPListPortugal
IPListGhana
IPListNigeria
IPListBurkina Faso
IPListTogo
IPListGuinea-Bissau
IPListMauritania
IPListBenin
IPListSierra Leone
IPListSão Tomé and Príncipe
IPListGibraltar
IPListGambia
IPListSpain
IPListMalta
IPListAlgeria
IPListDenmark
IPListUnited Kingdom
IPListSwitzerland
IPListSweden
IPListNetherlands
IPListAustria
IPListBelgium
IPListGermany
IPListLuxembourg
IPListIreland
IPListFrance
IPListAndorra
IPListJersey
IPListIsle of Man
IPListSlovakia
IPListCzechia
IPListNorway
IPListItaly
IPListSlovenia
IPListMontenegro
IPListCroatia
IPListBosnia and Herzegovina
IPListAngola
IPListBarbados
IPListCabo Verde
IPListFrench Guiana
IPListSaint Pierre and Miquelon
IPListParaguay
IPListUruguay
IPListBrazil
IPListFalkland Islands
IPListDominican Republic
IPListSt Vincent and Grenadines
IPListGrenada
IPListBelize
IPListGuatemala
IPListHonduras
IPListCosta Rica
IPListVenezuela
IPListEcuador
IPListColombia
IPListPanama
IPListArgentina
IPListChile
IPListBolivia
IPListPeru
IPListMexico
IPListNorthern Mariana Islands
IPListGuam
IPListPuerto Rico
IPListU.S. Virgin Islands
IPListAmerican Samoa
IPListCanada
IPListUnited States
IPListPalestine
IPListSerbia
IPListAntarctica
IPListTOR exit nodes IP Address List
IPListAmazon AMAZON
IPListAmazon EC2
IPListFacebook Servers
IPListTOR relay nodes IP Address List
IPListAmazon AMAZON ap-northeast-1
IPListAmazon EC2 ap-northeast-1
IPListAmazon AMAZON ap-northeast-2
IPListAmazon EC2 ap-northeast-2
IPListAmazon AMAZON ap-northeast-3
IPListAmazon EC2 ap-northeast-3
IPListBotnet IP Address List
IPListMalicious Site IP Address List
IPListAmazon AMAZON ap-south-1
IPListAmazon EC2 ap-south-1
IPListAmazon AMAZON ap-southeast-1
IPListAmazon EC2 ap-southeast-1
IPListNordVPN Servers IP Address List
IPListAmazon AMAZON ap-southeast-2
IPListAmazon EC2 ap-southeast-2
IPListAmazon AMAZON ca-central-1
IPListAmazon EC2 ca-central-1
IPListAmazon AMAZON eu-central-1
IPListAmazon EC2 eu-central-1
IPListAmazon AMAZON eu-north-1
IPListAmazon EC2 eu-north-1
IPListAmazon AMAZON eu-west-1
IPListAmazon EC2 eu-west-1
IPListAmazon AMAZON eu-west-2
IPListAmazon EC2 eu-west-2
IPListAmazon AMAZON eu-west-3
IPListAmazon EC2 eu-west-3
IPListAmazon AMAZON sa-east-1
IPListAmazon EC2 sa-east-1
IPListAmazon AMAZON us-east-1
IPListAmazon EC2 us-east-1
IPListAmazon AMAZON us-east-2
IPListAmazon EC2 us-east-2
IPListAmazon AMAZON us-west-1
IPListAmazon EC2 us-west-1
IPListAmazon AMAZON us-west-2
IPListAmazon EC2 us-west-2
SituationHTTP_CSU-Shared-Variables
SituationHTTP_CSH-Shared-Variables
Fingerprint regexp changed
SituationHTTP_CSU-Dot-Dot-Slash-Directory-Traversal
Name: HTTP_CSU-Potential-Dot-Dot-Slash-Directory-Traversal->HTTP_CSU-Dot-Dot-Slash-Directory-Traversal
Severity: 2->7
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application Any Software removed
Category tag os_not_specific Any Operating System not specific removed
Category tag application_not_specific Any Software not specific removed
Category tag situation Possibly Unwanted Content removed
Category tag group TCP Client Traffic removed
Fingerprint regexp changed
SituationFile-OLE_Shared-Variables
Fingerprint regexp changed
SituationFile-Member-Name_Directory-Traversal-In-File-Name
Fingerprint regexp changed
SituationFile-Name_Shared-Variables
VPN ProfileiOS Suite - legacy

HOW TO IMPORT AND ACTIVATE THE DYNAMIC UPDATE PACKAGE

  1. Download the dynamic update package, then make sure that the checksums for the original files and the files that you have downloaded match.
  2. In the Management Client, select Menu > File > Import > Import Update Packages.
  3. Browse to the file, select it, then click Import.
  4. Select  Configuration, then browse to Administration > Other Elements > Updates.
  5. Right-click the imported dynamic update package, then select Activate.
  6. When the activation is finished, refresh the policy on all NGFW Engines. If your policy uses a custom template, you might need to edit the policy.

DISCLAIMER AND COPYRIGHT

Copyright © 2023 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.