Release notes for update package 1626-5242

This update package improves the detection capabilities of the Forcepoint NGFW system.

RELEASE DATE:    Thursday August 31, 2023
MD5 CHECKSUM:    230d14cff8c73361f3321fef2030421b
SHA1 CHECKSUM:    84bbb5c198be96525a7fdb264d92d9bfc55c941f
SHA256 CHECKSUM:    e33f63a07d908ef3d0c31914ab730d603ec3f571712fcbb677d419439cd8d970

UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Forcepoint NGFW Security Management Center:    6.5.1.10631
- Forcepoint NGFW:    6.5.1.21108

List of detected attacks in this update package:

Risk levelDescriptionReferenceVulnerability
High     An attempt to exploit a vulnerability in TerraMaster TOS detected     CVE-2021-45839     TerraMaster-Unauthenticated-RCE-Chain-CVE-2021-45839
High     An attempt to exploit a vulnerability in RudderStack detected     CVE-2023-30625     Rudder-Server-SQLi-Remote-Code-Execution
High     An attempt to exploit a vulnerability TerraMaster TOS detected     CVE-2021-45837     TerraMaster-Unauthenticated-RCE-Chain-CVE-2021-45837
High     An attempt to exploit a vulnerability in Dasan GPON routers detected     CVE-2018-10561     Dasan-GPON-Routers-Authentication-Bypass-CVE-2018-10561
High     An attempt to exploit a vulnerability TerraMaster TOS detected     CVE-2021-45841     TerraMaster-Unauthenticated-RCE-Chain-CVE-2021-45841
High     An attempt to exploit a vulnerability in Ivanti Avalanche detected     CVE-2023-32562     Ivanti-Avalanche-Filestoreconfig-CVE-2023-32562-Arbitrary-File-Upload
High     An attempt to exploit a vulnerability in Ivanti MobileIron Sentry detected     CVE-2023-38035     Ivanti-MobileIron-Sentry-Authentication-Bypass-CVE-2023-38035
High     An attempt to exploit a vulnerability in Microsoft Outlook detected     CVE-2023-29325     Windows-OLE-Remote-Code-Execution-Vulnerability-CVE-2023-29325

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High TerraMaster-Unauthenticated-RCE-Chain-CVE-2021-45839 CVE-2021-45839 HTTP_CSU-TerraMaster-Unauthenticated-RCE-Chain-CVE-2021-45839 Suspected Disclosure

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Rudder-Server-SQLi-Remote-Code-Execution CVE-2023-30625 HTTP_CRL-Rudder-Server-SQLi-Remote-Code-Execution Suspected Compromise
High TerraMaster-Unauthenticated-RCE-Chain-CVE-2021-45837 CVE-2021-45837 HTTP_CRL-TerraMaster-Unauthenticated-RCE-Chain-CVE-2021-45837 Suspected Disclosure
High Dasan-GPON-Routers-Authentication-Bypass-CVE-2018-10561 CVE-2018-10561 HTTP_CRL-Dasan-GPON-Routers-Authentication-Bypass-CVE-2018-10561 Suspected Compromise
High TerraMaster-Unauthenticated-RCE-Chain-CVE-2021-45841 CVE-2021-45841 HTTP_CRL-TerraMaster-Unauthenticated-RCE-Chain-CVE-2021-45841 Suspected Disclosure
High Ivanti-Avalanche-Filestoreconfig-CVE-2023-32562-Arbitrary-File-Upload CVE-2023-32562 HTTP_CRL-Ivanti-Avalanche-Filestoreconfig-CVE-2023-32562-Arbitrary-File-Upload Suspected Compromise
High Ivanti-MobileIron-Sentry-Authentication-Bypass-CVE-2023-38035 CVE-2023-38035 HTTP_CRL-Ivanti-MobileIron-Sentry-Authentication-Bypass-CVE-2023-38035 Potential Compromise

OLE File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Windows-OLE-Remote-Code-Execution-Vulnerability-CVE-2023-29325 CVE-2023-29325 File-OLE_Windows-OLE-Remote-Code-Execution-Vulnerability-CVE-2023-29325 Suspected Compromise

Updated detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Contec-Conprossys-HMI-System-Chkformula-Command-Injection CVE-2022-44456 HTTP_CS-Contec-Conprossys-HMI-System-Chkformula-Command-Injection Suspected Compromise
Fingerprint regexp changed

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High TerraMaster_TOS_Remote_Code_Execution_CVE-2020-28188 CVE-2020-28188 HTTP_CSU-TerraMaster_TOS_Remote_Code_Execution_CVE-2020-28188 Suspected Compromise
Description has changed
High SonicWall-Gms-And-Analytics-Detectinjection-SQL-Injection CVE-2023-34133 HTTP_CSU-SonicWall-Gms-And-Analytics-Detectinjection-Potential-SQL-Injection Potential Compromise
Fingerprint regexp changed

MSRPC Client Payload Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Windows-Smbexec-Service-Create-Start-Command-Execution No CVE/CAN MSRPC-TCP_CPS-Windows-Smbexec-Service-Create-Start-Command-Execution Suspected Compromise
Description has changed

Other Binary File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Inductive-Automation-Ignition-Servermessage-Insecure-Deserialization CVE-2022-35870 File-Binary_Inductive-Automation-Ignition-Servermessage-Insecure-Deserialization Suspected Compromise
Description has changed
High Windows-OLE-Remote-Code-Execution-Vulnerability-CVE-2023-29325 CVE-2023-29325 File-Binary_Windows-OLE-Remote-Code-Execution-Vulnerability-CVE-2023-29325 Suspected Compromise
Detection mechanism updated

LIST OF OTHER CHANGES:

New objects:

TypeName
CategoryIvanti MobileIron Sentry
CategoryRudderStack
IPListAmazon S3 ap-southeast-5

Updated objects:

TypeNameChanges
IPListSomalia
IPListYemen
IPListIraq
IPListSaudi Arabia
IPListIran
IPListCyprus
IPListTanzania
IPListKenya
IPListSeychelles
IPListKuwait
IPListQatar
IPListBahrain
IPListUnited Arab Emirates
IPListIsrael
IPListTurkey
IPListEgypt
IPListSudan
IPListGreece
IPListEstonia
IPListLatvia
IPListAzerbaijan
IPListLithuania
IPListMoldova
IPListFinland
IPListUkraine
IPListHungary
IPListBulgaria
IPListAlbania
IPListPoland
IPListRomania
IPListKosovo
IPListMalawi
IPListSouth Africa
IPListMozambique
IPListAfghanistan
IPListPakistan
IPListBangladesh
IPListIndia
IPListNepal
IPListUzbekistan
IPListKazakhstan
IPListVietnam
IPListThailand
IPListIndonesia
IPListTaiwan
IPListPhilippines
IPListMalaysia
IPListChina
IPListHong Kong
IPListMacao
IPListSouth Korea
IPListJapan
IPListSingapore
IPListRussia
IPListMongolia
IPListAustralia
IPListChristmas Island
IPListPapua New Guinea
IPListNorfolk Island
IPListNew Zealand
IPListGhana
IPListNigeria
IPListBurkina Faso
IPListSierra Leone
IPListMali
IPListSpain
IPListFaroe Islands
IPListDenmark
IPListIceland
IPListUnited Kingdom
IPListSwitzerland
IPListSweden
IPListNetherlands
IPListAustria
IPListBelgium
IPListGermany
IPListLuxembourg
IPListIreland
IPListFrance
IPListSlovakia
IPListCzechia
IPListNorway
IPListSan Marino
IPListItaly
IPListCroatia
IPListGreenland
IPListParaguay
IPListBrazil
IPListBermuda
IPListAruba
IPListGuatemala
IPListCosta Rica
IPListVenezuela
IPListEcuador
IPListColombia
IPListPanama
IPListArgentina
IPListChile
IPListPeru
IPListMexico
IPListGuam
IPListU.S. Virgin Islands
IPListCanada
IPListUnited States
IPListPalestine
IPListSerbia
IPListAntarctica
IPListTOR exit nodes IP Address List
IPListAmazon AMAZON
IPListAmazon S3
IPListAmazon EC2
IPListTOR relay nodes IP Address List
IPListMicrosoft Office 365 Skype for Business Online and Microsoft Teams
IPListMicrosoft Azure datacenter
IPListAmazon AMAZON ap-northeast-2
IPListAmazon S3 ap-northeast-2
IPListAmazon EC2 ap-northeast-2
IPListBotnet IP Address List
IPListMalicious Site IP Address List
IPListAmazon AMAZON ap-southeast-1
IPListNordVPN Servers IP Address List
IPListAmazon AMAZON eu-central-1
IPListAmazon AMAZON ap-southeast-5
IPListAmazon AMAZON eu-west-1
IPListAmazon AMAZON eu-west-3
IPListAmazon S3 eu-west-3
IPListAmazon EC2 eu-west-3
IPListAmazon AMAZON us-east-1
IPListAmazon EC2 us-east-1
IPListAmazon AMAZON us-west-1
IPListAmazon S3 us-west-1
IPListAmazon EC2 us-west-1
IPListAmazon AMAZON us-west-2
IPListAmazon EC2 us-west-2
SituationFile-OLE_Shared-Variables
Fingerprint regexp changed

HOW TO IMPORT AND ACTIVATE THE DYNAMIC UPDATE PACKAGE

  1. Download the dynamic update package, then make sure that the checksums for the original files and the files that you have downloaded match.
  2. In the Management Client, select Menu > File > Import > Import Update Packages.
  3. Browse to the file, select it, then click Import.
  4. Select  Configuration, then browse to Administration > Other Elements > Updates.
  5. Right-click the imported dynamic update package, then select Activate.
  6. When the activation is finished, refresh the policy on all NGFW Engines. If your policy uses a custom template, you might need to edit the policy.

DISCLAIMER AND COPYRIGHT

Copyright © 2023 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.