Release notes for update package 1626-5242

This update package improves the detection capabilities of the Forcepoint NGFW system.

RELEASE DATE:	Thursday August 31, 2023
MD5 CHECKSUM:	230d14cff8c73361f3321fef2030421b
SHA1 CHECKSUM:	84bbb5c198be96525a7fdb264d92d9bfc55c941f
SHA256 CHECKSUM:	e33f63a07d908ef3d0c31914ab730d603ec3f571712fcbb677d419439cd8d970

UPDATE CRITICALITY: HIGH

MINIMUM SOFTWARE VERSIONS

- Forcepoint NGFW Security Management Center:	6.5.1.10631
- Forcepoint NGFW:	6.5.1.21108

List of detected attacks in this update package:

Risk level	Description	Reference	Vulnerability
High	An attempt to exploit a vulnerability in TerraMaster TOS detected	CVE-2021-45839	TerraMaster-Unauthenticated-RCE-Chain-CVE-2021-45839
High	An attempt to exploit a vulnerability in RudderStack detected	CVE-2023-30625	Rudder-Server-SQLi-Remote-Code-Execution
High	An attempt to exploit a vulnerability TerraMaster TOS detected	CVE-2021-45837	TerraMaster-Unauthenticated-RCE-Chain-CVE-2021-45837
High	An attempt to exploit a vulnerability in Dasan GPON routers detected	CVE-2018-10561	Dasan-GPON-Routers-Authentication-Bypass-CVE-2018-10561
High	An attempt to exploit a vulnerability TerraMaster TOS detected	CVE-2021-45841	TerraMaster-Unauthenticated-RCE-Chain-CVE-2021-45841
High	An attempt to exploit a vulnerability in Ivanti Avalanche detected	CVE-2023-32562	Ivanti-Avalanche-Filestoreconfig-CVE-2023-32562-Arbitrary-File-Upload
High	An attempt to exploit a vulnerability in Ivanti MobileIron Sentry detected	CVE-2023-38035	Ivanti-MobileIron-Sentry-Authentication-Bypass-CVE-2023-38035
High	An attempt to exploit a vulnerability in Microsoft Outlook detected	CVE-2023-29325	Windows-OLE-Remote-Code-Execution-Vulnerability-CVE-2023-29325

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Request URI

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	TerraMaster-Unauthenticated-RCE-Chain-CVE-2021-45839	CVE-2021-45839	HTTP_CSU-TerraMaster-Unauthenticated-RCE-Chain-CVE-2021-45839	Suspected Disclosure

HTTP Normalized Request-Line

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	Rudder-Server-SQLi-Remote-Code-Execution	CVE-2023-30625	HTTP_CRL-Rudder-Server-SQLi-Remote-Code-Execution	Suspected Compromise
High	TerraMaster-Unauthenticated-RCE-Chain-CVE-2021-45837	CVE-2021-45837	HTTP_CRL-TerraMaster-Unauthenticated-RCE-Chain-CVE-2021-45837	Suspected Disclosure
High	Dasan-GPON-Routers-Authentication-Bypass-CVE-2018-10561	CVE-2018-10561	HTTP_CRL-Dasan-GPON-Routers-Authentication-Bypass-CVE-2018-10561	Suspected Compromise
High	TerraMaster-Unauthenticated-RCE-Chain-CVE-2021-45841	CVE-2021-45841	HTTP_CRL-TerraMaster-Unauthenticated-RCE-Chain-CVE-2021-45841	Suspected Disclosure
High	Ivanti-Avalanche-Filestoreconfig-CVE-2023-32562-Arbitrary-File-Upload	CVE-2023-32562	HTTP_CRL-Ivanti-Avalanche-Filestoreconfig-CVE-2023-32562-Arbitrary-File-Upload	Suspected Compromise
High	Ivanti-MobileIron-Sentry-Authentication-Bypass-CVE-2023-38035	CVE-2023-38035	HTTP_CRL-Ivanti-MobileIron-Sentry-Authentication-Bypass-CVE-2023-38035	Potential Compromise

OLE File Stream

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	Windows-OLE-Remote-Code-Execution-Vulnerability-CVE-2023-29325	CVE-2023-29325	File-OLE_Windows-OLE-Remote-Code-Execution-Vulnerability-CVE-2023-29325	Suspected Compromise

Updated detected attacks:

HTTP Client Stream

Risk

Vulnerability/Situation

References

Related Fingerprint

Situation Type

Change Description

High

Contec-Conprossys-HMI-System-Chkformula-Command-Injection

CVE-2022-44456

HTTP_CS-Contec-Conprossys-HMI-System-Chkformula-Command-Injection

Suspected Compromise

Fingerprint regexp changed

HTTP Request URI

Risk

Vulnerability/Situation

References

Related Fingerprint

Situation Type

Change Description

High

TerraMaster_TOS_Remote_Code_Execution_CVE-2020-28188

CVE-2020-28188

HTTP_CSU-TerraMaster_TOS_Remote_Code_Execution_CVE-2020-28188

Suspected Compromise

Description has changed

High

SonicWall-Gms-And-Analytics-Detectinjection-SQL-Injection

CVE-2023-34133

HTTP_CSU-SonicWall-Gms-And-Analytics-Detectinjection-Potential-SQL-Injection

Potential Compromise

Fingerprint regexp changed

MSRPC Client Payload Stream

Risk

Vulnerability/Situation

References

Related Fingerprint

Situation Type

Change Description

High

Windows-Smbexec-Service-Create-Start-Command-Execution

No CVE/CAN

MSRPC-TCP_CPS-Windows-Smbexec-Service-Create-Start-Command-Execution

Suspected Compromise

Description has changed

Other Binary File Stream

Risk

Vulnerability/Situation

References

Related Fingerprint

Situation Type

Change Description

High

Inductive-Automation-Ignition-Servermessage-Insecure-Deserialization

CVE-2022-35870

File-Binary_Inductive-Automation-Ignition-Servermessage-Insecure-Deserialization

Suspected Compromise

Description has changed

High

Windows-OLE-Remote-Code-Execution-Vulnerability-CVE-2023-29325

CVE-2023-29325

File-Binary_Windows-OLE-Remote-Code-Execution-Vulnerability-CVE-2023-29325

Suspected Compromise

Detection mechanism updated

LIST OF OTHER CHANGES:

New objects:

Type	Name
Category	Ivanti MobileIron Sentry
Category	RudderStack
IPList	Amazon S3 ap-southeast-5

Updated objects:

Type

Name

Changes

IPList

Somalia

IPList

Yemen

IPList

Iraq

IPList

Saudi Arabia

IPList

Iran

IPList

Cyprus

IPList

Tanzania

IPList

Kenya

IPList

Seychelles

IPList

Kuwait

IPList

Qatar

IPList

Bahrain

IPList

United Arab Emirates

IPList

Israel

IPList

Turkey

IPList

Egypt

IPList

Sudan

IPList

Greece

IPList

Estonia

IPList

Latvia

IPList

Azerbaijan

IPList

Lithuania

IPList

Moldova

IPList

Finland

IPList

Ukraine

IPList

Hungary

IPList

Bulgaria

IPList

Albania

IPList

Poland

IPList

Romania

IPList

Kosovo

IPList

Malawi

IPList

South Africa

IPList

Mozambique

IPList

Afghanistan

IPList

Pakistan

IPList

Bangladesh

IPList

India

IPList

Nepal

IPList

Uzbekistan

IPList

Kazakhstan

IPList

Vietnam

IPList

Thailand

IPList

Indonesia

IPList

Taiwan

IPList

Philippines

IPList

Malaysia

IPList

China

IPList

Hong Kong

IPList

Macao

IPList

South Korea

IPList

Japan

IPList

Singapore

IPList

Russia

IPList

Mongolia

IPList

Australia

IPList

Christmas Island

IPList

Papua New Guinea

IPList

Norfolk Island

IPList

New Zealand

IPList

Ghana

IPList

Nigeria

IPList

Burkina Faso

IPList

Sierra Leone

IPList

Mali

IPList

Spain

IPList

Faroe Islands

IPList

Denmark

IPList

Iceland

IPList

United Kingdom

IPList

Switzerland

IPList

Sweden

IPList

Netherlands

IPList

Austria

IPList

Belgium

IPList

Germany

IPList

Luxembourg

IPList

Ireland

IPList

France

IPList

Slovakia

IPList

Czechia

IPList

Norway

IPList

San Marino

IPList

Italy

IPList

Croatia

IPList

Greenland

IPList

Paraguay

IPList

Brazil

IPList

Bermuda

IPList

Aruba

IPList

Guatemala

IPList

Costa Rica

IPList

Venezuela

IPList

Ecuador

IPList

Colombia

IPList

Panama

IPList

Argentina

IPList

Chile

IPList

Peru

IPList

Mexico

IPList

Guam

IPList

U.S. Virgin Islands

IPList

Canada

IPList

United States

IPList

Palestine

IPList

Serbia

IPList

Antarctica

IPList

TOR exit nodes IP Address List

IPList

Amazon AMAZON

IPList

Amazon S3

IPList

Amazon EC2

IPList

TOR relay nodes IP Address List

IPList

Microsoft Office 365 Skype for Business Online and Microsoft Teams

IPList

Microsoft Azure datacenter

IPList

Amazon AMAZON ap-northeast-2

IPList

Amazon S3 ap-northeast-2

IPList

Amazon EC2 ap-northeast-2

IPList

Botnet IP Address List

IPList

Malicious Site IP Address List

IPList

Amazon AMAZON ap-southeast-1

IPList

NordVPN Servers IP Address List

IPList

Amazon AMAZON eu-central-1

IPList

Amazon AMAZON ap-southeast-5

IPList

Amazon AMAZON eu-west-1

IPList

Amazon AMAZON eu-west-3

IPList

Amazon S3 eu-west-3

IPList

Amazon EC2 eu-west-3

IPList

Amazon AMAZON us-east-1

IPList

Amazon EC2 us-east-1

IPList

Amazon AMAZON us-west-1

IPList

Amazon S3 us-west-1

IPList

Amazon EC2 us-west-1

IPList

Amazon AMAZON us-west-2

IPList

Amazon EC2 us-west-2

Situation

File-OLE_Shared-Variables

Fingerprint regexp changed

HOW TO IMPORT AND ACTIVATE THE DYNAMIC UPDATE PACKAGE

Download the dynamic update package, then make sure that the checksums for the original files and the files that you have downloaded match.
In the Management Client, select Menu > File > Import > Import Update Packages.
Browse to the file, select it, then click Import.
Select Configuration, then browse to Administration > Other Elements > Updates.
Right-click the imported dynamic update package, then select Activate.
When the activation is finished, refresh the policy on all NGFW Engines. If your policy uses a custom template, you might need to edit the policy.

DISCLAIMER AND COPYRIGHT

Copyright © 2023 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.