Release notes for update package 1640-5242

This update package improves the detection capabilities of the Forcepoint NGFW system.

RELEASE DATE:    Thursday October 12, 2023
MD5 CHECKSUM:    1f3df6b17cb3b83884a7d551a2bfaef4
SHA1 CHECKSUM:    7d3a5d6c047f09800a3856ad26eec794ba044900
SHA256 CHECKSUM:    52d802141f422ee4a9d7b8d83027ef860ea9a53356dd7db566c73bf34bbcd5f0

UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Forcepoint NGFW Security Management Center:    6.5.1.10631
- Forcepoint NGFW:    6.5.1.21108

List of detected attacks in this update package:

Risk levelDescriptionReferenceVulnerability
High     An attempt to exploit a vulnerability in Confluence Data Center and Server detected     CVE-2023-22515     Confluence-Access-Control-Vulnerability-CVE-2023-22515
High     A possible attempt to exploit a vulnerability in Confluence Data Center and Server detected     CVE-2023-22515     Confluence-Access-Control-Vulnerability-CVE-2023-22515
Low     A POST request to Confluence Setupadministrator.action detected     CVE-2023-22515     Confluence-Access-Control-Vulnerability-CVE-2023-22515

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Confluence-Access-Control-Vulnerability-CVE-2023-22515 CVE-2023-22515 HTTP_CSU-Confluence-Access-Control-Vulnerability-CVE-2023-22515 Suspected Compromise
Low Confluence-Access-Control-Vulnerability-CVE-2023-22515 CVE-2023-22515 HTTP_CSU-Confluence-Setupadministrator.action-Endpoint-Access Other Suspicious Traffic
High Confluence-Access-Control-Vulnerability-CVE-2023-22515 CVE-2023-22515 HTTP_CSU-Confluence-Access-Control-Vulnerability-CVE-2023-22515-2 Potential Compromise

Updated detected attacks:

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
Critical HTTP-Apache-Backslash-Directory-Traversal CVE-2002-0661 HTTP_CSU-Apache-Backslash-Directory-Traversal Compromise
Severity: 7->10
Category tag situation Compromise added
Category tag situation Suspected Compromise removed
Fingerprint regexp changed
High Microsoft-Remote-Desktop-Insecure-Library-Loading-CVE-2011-0029 CVE-2011-0029 HTTP_CSU-Insecure-Microsoft-Library-Loading Suspected Compromise
Description has changed
High HP-Intelligent-Management-Center-Reporting-Information-Disclosure No CVE/CAN HTTP_CSU-HP-IMC-Uam-Acmservletdownload-Information-Disclosure Suspected Compromise
Description has changed
Category tag group CVE2014 added
Fingerprint regexp changed
High HP-Network-Virtualization-Storedntxfile-Directory-Traversal CVE-2014-2625 HTTP_CSU-HP-Network-Virtualization-Storedntxfile-Directory-Traversal Suspected Compromise
Fingerprint regexp changed
High Beck-Gmdg-IPC@CHIP-Configuration-File-Disclosure CVE-2001-0749 HTTP_CSU-Beck-Gmbh-IPC@CHIP-Conf-File-Discosure Suspected Disclosure
Description has changed
High Oracle-Demantra-Demand-Management-Information-Leak CVE-2013-5795 HTTP_CSU-Oracle-Demantra-Demand-Management-Information-Leak Suspected Compromise
Description has changed
Fingerprint regexp changed
High MoinMoin-Remote-Code-Execution CVE-2012-6081 HTTP_CSU_MoinMoin-Remote-Code-Execution Potential Compromise
Fingerprint regexp changed
High ElasticSearch-File-Discosure CVE-2015-5531 HTTP_CSU-ElasticSearch-File-Discosure Suspected Disclosure
Severity: 2->7
Category tag situation Suspected Disclosure added
Category tag group HTTP Correlation Dependency Group added
Category tag group TCP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Potential Disclosure removed
Fingerprint regexp changed
High Google-Document-Embedder-Plugin-File-Disclosure CVE-2012-4915 HTTP_CSU-Google-Document-Embedder-Plugin-File-Disclosure Suspected Disclosure
Severity: 2->7
Category tag situation Suspected Disclosure added
Category tag group HTTP Correlation Dependency Group added
Category tag group TCP Correlation Dependency Group added
Category tag group Severity over 4 Correlation Dependency Group added
Category tag situation Potential Disclosure removed
Fingerprint regexp changed
High HPE-Network-Automation-Permissionfilter-Authentication-Bypass CVE-2017-5812 HTTP_CSU-HPE-Network-Automation-Permissionfilter-Authentication-Bypass Suspected Compromise
Fingerprint regexp changed
High HPE-Network-Automation-SQL-Injection-Remote-Code-Execution CVE-2017-5810 HTTP_CSU-HPE-Network-Automation-SQL-Injection-Remote-Code-Execution Suspected Compromise
Fingerprint regexp changed
High NetGear-R7000-And-R6400-Cgi-Bin-Command-Injection CVE-2016-6277 HTTP_CSU-Cgi-Bin-Command-Injection Suspected Compromise
Name: HTTP_CSU-NetGear-R7000-And-R6400-Cgi-Bin-Command-Injection->HTTP_CSU-Cgi-Bin-Command-Injection
Comment has changed
Description has changed
Fingerprint regexp changed
High Embedthis-GoAhead-Web-Server-Cgi-Remote-Code-Execution CVE-2017-17562 HTTP_URI-Embedthis-GoAhead-Web-Server-Cgi-Remote-Code-Execution Suspected Compromise
Description has changed
Category tag group CVE2018 added
Fingerprint regexp changed
Low IIS-Iisadmpwd-DoS CVE-2000-0304 HTTP_CSU-IIS-Htr-File-Fragment-Disclosure Potential Disclosure
Description has changed

LIST OF OTHER CHANGES:

Updated objects:

TypeNameChanges
IPListTOR exit nodes IP Address List
IPListTOR relay nodes IP Address List
IPListBotnet IP Address List
IPListMalicious Site IP Address List
SituationHTTP_CSU-Soda-PDF-Insecure-Library-Loading
Description has changed
Attacker: connection_destination->none
Victim: connection_source->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application LULU Software Soda PDF removed
Category tag group CVE2013 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Suspected Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
SituationHTTP_CSU-HP-Intelligent-Management-Center-BIMS-Uploadservlet-Information-Disclosure
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application HP IMC Branch Intelligent Management System Software Module removed
Category tag group CVE2014 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Suspected Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
SituationHTTP_CSU-Beck-Gmdg-IPC@CHIP-Configuration-File-Disclosure
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application Beck GmbH IPC@CHIP removed
Category tag group CVE2001 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Suspected Disclosure removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
SituationHTTP_CSU-IIS-Htr-Code-Fragment-Disclosure
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware Any Hardware removed
Category tag application IIS 5.0 removed
Category tag application IIS 4.0 removed
Category tag group MS2000 removed
Category tag group CVE2000 removed
Category tag os_not_specific Windows not specific removed
Category tag situation Potential Disclosure removed
Category tag group TCP Client Traffic removed
SituationHTTP_CSU_Oracle-Demantra-Demand-Management-File-Download
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application Oracle Demantra Demand Management removed
Category tag group CVE2013 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Suspected Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
SituationHTTP_CSU_DD-WRT-Arbitrary-Command-Execution
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application DD-WRT removed
Category tag group CVE2009 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Suspected Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
SituationHTTP_CSU-Dell-EMC-iDRAC-Cgi-Injection-CVE-2018-1207
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application Dell EMC iDRAC removed
Category tag group CVE2018 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Suspected Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
SituationHTTP_CSU-Apache-Backslash-Directory-Traversal-Win-Ini
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware Any Hardware removed
Category tag application Apache removed
Category tag group CVE2002 removed
Category tag os_not_specific Windows not specific removed
Category tag application_not_specific Apache not specific removed
Category tag situation Disclosure removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
ApplicationTOR

HOW TO IMPORT AND ACTIVATE THE DYNAMIC UPDATE PACKAGE

  1. Download the dynamic update package, then make sure that the checksums for the original files and the files that you have downloaded match.
  2. In the Management Client, select Menu > File > Import > Import Update Packages.
  3. Browse to the file, select it, then click Import.
  4. Select  Configuration, then browse to Administration > Other Elements > Updates.
  5. Right-click the imported dynamic update package, then select Activate.
  6. When the activation is finished, refresh the policy on all NGFW Engines. If your policy uses a custom template, you might need to edit the policy.

DISCLAIMER AND COPYRIGHT

Copyright © 2023 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.