Release notes for update package 1641-5242

This update package improves the detection capabilities of the Forcepoint NGFW system.

RELEASE DATE:    Monday October 16, 2023
MD5 CHECKSUM:    99c749ee0f10bbca7b7e64af547d619c
SHA1 CHECKSUM:    6272bdb669a4c53bb0c5ffcfbe7530ca7b1d50aa
SHA256 CHECKSUM:    1956b95e08ed28310eb39065faf86b5726e241f6f4e93c55a3c649c41c12a60a

UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Forcepoint NGFW Security Management Center:    6.5.1.10631
- Forcepoint NGFW:    6.5.1.21108

List of detected attacks in this update package:

Risk levelDescriptionReferenceVulnerability
High     An attempt to exploit a vulnerability in Netgear ProSAFE NMS300 detected     CVE-2023-38098     NetGear-ProSafe-NMS300-Uploadservlet-Unrestricted-File-Upload
High     An attempt to exploit a vulnerability in LG Simple Editor detected     CVE-2023-40492     LG-Simple-Editor-Deletechecksession-Directory-Traversal
High     An attempt to exploit a vulnerability in Netgear ProSAFE NMS300 detected     CVE-2023-38098     NetGear-ProSafe-NMS300-Uploadservlet-Unrestricted-File-Upload
High     An attempt to exploit a vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE) detected     CVE-2023-3364     Gitlab-Community-And-Enterprise-Edition-Autolinkfilter-Regex-Denial-Of-Service
High     An attempt to exploit a vulnerability in Apache Tomcat detected     CVE-2023-28709     Apache-Tomcat-Maxparametercount-Denial-Of-Service
High     An attempt to exploit a vulnerability in Dolibarr ERP and CRM Suite detected     CVE-2023-38886     Dolibarr-ERP-And-CRM-Database-Backup-Command-Injection
High     An attempt to exploit a vulnerability in Sunhillo SureLine detected     CVE-2021-36380     Sunhillo-Sureline-Command-Injection-CVE-2021-36380
High     An attempt to exploit a vulnerability in 7-Zip detected     CVE-2023-40481     7-Zip-Squashfs-File-Uidtable-Parsing-Buffer-Overflow-Vulnerability

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High NetGear-ProSafe-NMS300-Uploadservlet-Unrestricted-File-Upload CVE-2023-38098 HTTP_CS-NetGear-ProSafe-NMS300-Uploadservlet-Unrestricted-File-Upload Suspected Compromise
High LG-Simple-Editor-Deletechecksession-Directory-Traversal CVE-2023-40492 HTTP_CS-LG-Simple-Editor-Deletechecksession-Directory-Traversal Suspected Compromise

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High NetGear-ProSafe-NMS300-Uploadservlet-Unrestricted-File-Upload CVE-2023-38098 HTTP_CSU-NetGear-ProSafe-NMS300-Uploadservlet-Unrestricted-File-Upload Suspected Compromise

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Apache-Tomcat-Maxparametercount-Denial-Of-Service CVE-2023-28709 HTTP_CRL-Apache-Tomcat-Maxparametercount-Denial-Of-Service Suspected Compromise
High Dolibarr-ERP-And-CRM-Database-Backup-Command-Injection CVE-2023-38886 HTTP_CRL-Dolibarr-ERP-And-CRM-Database-Backup-Command-Injection Suspected Compromise
High Sunhillo-Sureline-Command-Injection-CVE-2021-36380 CVE-2021-36380 HTTP_CRL-Sunhillo-Sureline-Command-Injection-CVE-2021-36380 Suspected Compromise

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Gitlab-Community-And-Enterprise-Edition-Autolinkfilter-Regex-Denial-Of-Service CVE-2023-3364 File-Text_Gitlab-Community-And-Enterprise-Edition-Autolinkfilter-Regex-Denial-Of-Service Suspected Compromise

Other Binary File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High 7-Zip-Squashfs-File-Uidtable-Parsing-Buffer-Overflow-Vulnerability CVE-2023-40481 File-Binary_7-Zip-Squashfs-File-Uidtable-Parsing-Buffer-Overflow-Vulnerability Suspected Compromise

Updated detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Vidar-Malware-Infection-Traffic No CVE/CAN HTTP_CS-Vidar-Malware-Infection-Traffic Suspected Botnet
Fingerprint regexp changed

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Apache-Mod-Imagemap-Module-Cross-Site-Scripting CVE-2007-5000 HTTP_CSU-Script-Tag-In-URI Potential Compromise
Description has changed
Attacker: none->connection_destination
Victim: none->connection_source
Category tag group CVE2007 added
High HP-Intelligent-Management-Center-Reporting-Information-Disclosure No CVE/CAN HTTP_CSU-HP-IMC-Uam-Acmservletdownload-Information-Disclosure Suspected Compromise
Description has changed
Category tag group CVE2018 added
Category tag group CVE2019 added
Low HTTP-Domino-Access No CVE/CAN HTTP_CSU-IBM-Domino-Access Potential Probe
Detection mechanism updated
High VBulletin-Routestring-Unauthenticated-Remote-Code-Execution No CVE/CAN HTTP_CSU-VBulletin-Routestring-Unauthenticated-Remote-Code-Execution Potential Compromise
Fingerprint regexp changed
High Jenkins-Plugin-Resources-Directory-Traversal CVE-2018-6356 HTTP_CSU-Jenkins-Plugin-Resources-Directory-Traversal Suspected Compromise
Fingerprint regexp changed
High Dell-EMC-Storage-Manager-EMConfigmigration-Servlet-Directory-Traversal CVE-2017-14384 HTTP_CSU-Dell-EMC-Storage-Manager-EMConfigmigration-Servlet-Directory-Traversal Suspected Compromise
Fingerprint regexp changed
Critical Pulse-Secure-SSL-VPN-Pre-Auth-Arbitrary-File-Reading CVE-2019-11510 HTTP_CSU-Pulse-Secure-SSL-VPN-Pre-Auth-Arbitrary-File-Reading Compromise
Fingerprint regexp changed
High Openemr-C_document.class.php-Patient_Id-Cross-Site-Scripting CVE-2019-3963 HTTP_CSU-Openemr-C_document.class.php-View_Action-Doc_Id-Cross-Site-Scripting Suspected Compromise
Description has changed
Fingerprint regexp changed
High Zoho-Manageengine-Opmanager-Fluidicv2-UI-Directory-Traversal CVE-2020-12116 HTTP_CSU-Zoho-Manageengine-Opmanager-Fluidicv2-UI-Directory-Traversal Suspected Compromise
Description has changed
Fingerprint regexp changed
Low HTTP-ColdFusion-Exprcalc-File-Disclosure CVE-1999-0455 HTTP_CSU-ColdFusion-Path-Information-Disclosure Potential Disclosure
Description has changed
Category tag group CVE1999 added
High Keysight-N6854a-And-N6841a-RF-Sensor-Directory-Traversal CVE-2022-1661 HTTP_CSU-Keysight-N6854a-And-N6841a-RF-Sensor-Directory-Traversal Suspected Compromise
Fingerprint regexp changed
Low Gogs-Git-Endpoints-Directory-Traversal CVE-2022-1993 HTTP_CSU-Gogs-Git-Endpoints-Directory-Traversal Potential Disclosure
Fingerprint regexp changed
High Ivanti-Avalanche-Smartdeviceserver-Uploadfile-Directory-Traversal CVE-2022-36981 HTTP_CSU-Ivanti-Avalanche-Smartdeviceserver-Uploadfile-Directory-Traversal Suspected Compromise
Fingerprint regexp changed
High D-Link-DSL-2750B-Command-Injection CVE-2016-20017 HTTP_CSU-D-Link-DSL-2750B-Command-Injection Suspected Compromise
Fingerprint regexp changed
High Confluence-Access-Control-Vulnerability-CVE-2023-22515 CVE-2023-22515 HTTP_CSU-Confluence-Access-Control-Vulnerability-CVE-2023-22515 Suspected Compromise
Fingerprint regexp changed
High HTTP-WebConnect-Wcp-User-Directory-Traversal CVE-2004-0465 HTTP_CSU-WebConnect-Wcp-User-Directory-Traversal Potential Compromise
Fingerprint regexp changed

HTTP Request Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Novell-Remote-Manager-Off-By-One-Denial-Of-Service No CVE/CAN HTTP_CSH-Novell-Remote-Manager-Off-By-One-Denial-Of-Service Suspected Compromise
Fingerprint regexp changed
High Netgate-Pfsense-Pfblockerng-Host-Command-Injection CVE-2022-31814 HTTP_CSH-Netgate-Pfsense-Pfblockerng-Host-Command-Injection Suspected Compromise
Fingerprint regexp changed
High SaveNow-Software No CVE/CAN HTTP_CSH-SaveNow-Activity Spyware, Malware and Adware
Fingerprint regexp changed
High HTTP-Apache-Host-Header-Default-Error-Page-XSS CVE-2002-0840 HTTP_CSH-Apache-Host-Header-Default-Error-Page-XSS Suspected Disclosure
Fingerprint regexp changed
High HTTP-Apache-Host-Header-Default-Error-Page-XSS CVE-2002-0840 HTTP_CSH-Script-In-Host-Header Attack Related Anomalies
Fingerprint regexp changed
Low HTTP-Novell-eDirectory-HTTP-Server-Redirection-Buffer-Overflow CVE-2006-5478 HTTP_CSH-Overly-Long-Host-Header-Field Potential Compromise
Fingerprint regexp changed
Low IP-Address-As-HTTP-Host No CVE/CAN HTTP_CSH-IP-Address-As-HTTP-Host Protocol Information
Fingerprint regexp changed
High HTTP-Apache-Portable-Runtime-Apr-Psprintf-Long-String-Vulnerability CVE-2003-0245 HTTP_CSH-Oversized-Host-Header-Field Attack Related Anomalies
Fingerprint regexp changed
Low UUSee-Streaming-Media No CVE/CAN HTTP_CSH-UUSee-Activity Streaming Protocols
Fingerprint regexp changed
High Squid-HTTP-Host-Header-Port-Handling-Denial-Of-Service CVE-2013-4123 HTTP_CSH-Squid-HTTP-Host-Header-Port-Handling-Denial-Of-Service Suspected Compromise
Fingerprint regexp changed
High Lighttpd-Host-Header-Mod_mysql_vhost-SQL-Injection CVE-2014-2323 HTTP_CSH-Lighttpd-Host-Header-Multiple-Vulnerabilities Suspected Compromise
Fingerprint regexp changed
Critical Furtims-Parent-Nullptr-Host-Field No CVE/CAN HTTP_CSH-Furtims-Parent-Nullptr-Host-Field Successful Attacks
Fingerprint regexp changed
High CMS-Made-Simple-Cache-Poisoning CVE-2016-2784 HTTP_CSH-CMS-Made-Simple-Cache-Poisoning Suspected Compromise
Fingerprint regexp changed
High Felismus-Malware No CVE/CAN HTTP_CSH-Felismus-Malware-Request Botnet
Fingerprint regexp changed
High Squid-Proxy-HTTP-Request-Processing-Buffer-Overflow CVE-2020-8450 HTTP_CRH-Squid-Proxy-HTTP-Request-Processing-Buffer-Overflow Suspected Compromise
Fingerprint regexp changed
High Solarwinds-SunBurst-Traffic No CVE/CAN HTTP_CSH-SunBurst-Backdoor-Traffic Suspected Compromise
Fingerprint regexp changed
High SNIProxy-New_address-Stack-Buffer-Overflow CVE-2023-25076 HTTP_CSH-SNIProxy-New_address-Stack-Buffer-Overflow Suspected Compromise
Fingerprint regexp changed

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Geutebruck-Multiple-RCE-CVE-2021-335xx CVE-2021-33543 HTTP_CRL-Geutebruck-Multiple-RCE-CVE-2021-335xx Suspected Compromise
Name: HTTP_CS-Geutebruck-Multiple-RCE-CVE-2021-335xx->HTTP_CRL-Geutebruck-Multiple-RCE-CVE-2021-335xx
Category tag group TCP Correlation Dependency Group removed
Context has changed from HTTP Client Stream to HTTP Normalized Request-Line
High Netis-WF2419-Remote-Code-Execution-CVE-2019-19356 CVE-2019-19356 HTTP_CRL-Netis-WF2419-Remote-Code-Execution-CVE-2019-19356 Suspected Compromise
Fingerprint regexp changed
High Papercut-Improper-Access-Control-Vulnerability-CVE-2023-27350 CVE-2023-27350 HTTP_CRL-Papercut-Improper-Access-Control-Vulnerability-CVE-2023-27350 Suspected Compromise
Fingerprint regexp changed
High TP-Link-Archer-AX21-Command-Injection-CVE-2023-1389 CVE-2023-1389 HTTP_CRL-TP-Link-Archer-AX21-Command-Injection-CVE-2023-1389 Suspected Compromise
Fingerprint regexp changed

LIST OF OTHER CHANGES:

New objects:

TypeName
SituationHTTP_CS-No-User-Agent-Provided-In-HTTP-Headers
SituationHTTP_PSH-Shared-Variables
CategorySureLine
IPListAmazon MEDIA_PACKAGE_V2 ap-southeast-4

Updated objects:

TypeNameChanges
SituationNTLM IWA Support User-Agent
Application detection context content changed
SituationHTTP_CSU-Shared-Variables
SituationHTTP_CSU-Windows-Base64-Decode-Command-In-URI
Description has changed
SituationHTTP_CSU-Responsive-Filemanager-Ajax_calls.php-Information-Disclosure
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application Responsive File Manager removed
Category tag group CVE2018 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Suspected Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
SituationHTTP_CSU-Openemr-Ajax_Download.php-Directory-Traversal
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application OpenEMR Development Team OpenEMR removed
Category tag group CVE2019 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Suspected Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
SituationHTTP_CSU-Openemr-C_document.class.php-Patient_Id-Cross-Site-Scripting
Description has changed
Attacker: connection_destination->none
Victim: connection_source->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application OpenEMR Development Team OpenEMR removed
Category tag group CVE2019 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Suspected Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
SituationHTTP_CSU-Pulse-Secure-VPN-Arbitrary-File-Disclosure
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Unix removed
Category tag os Linux removed
Category tag hardware Any Hardware removed
Category tag application Pulse Secure VPN removed
Category tag group CVE2019 removed
Category tag os_not_specific Unix not specific removed
Category tag os_not_specific Linux not specific removed
Category tag situation Suspected Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Fingerprint regexp changed
SituationHTTP_CSU-Zoho-Manageengine-Opmanager-Cachestart-Directory-Traversal
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application Zoho Corporation ManageEngine OpManager removed
Category tag group CVE2020 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Suspected Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
SituationHTTP_CSH-Shared-Variables
Fingerprint regexp changed
SituationHTTP_CSH-Empty-Host-Header
Fingerprint regexp changed
SituationHTTP_CSU-Apache-Mod-Imagemap-Module-Cross-Site-Scripting
Description has changed
Attacker: connection_destination->none
Victim: connection_source->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application Apache removed
Category tag group CVE2007 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag application_not_specific Apache not specific removed
Category tag situation Potential Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
SituationHTTP_CS-Shared-Variables-For-Client-Stream-Context
Fingerprint regexp changed
SituationHTTP_CSU-Apache-Tomcat-Servlet-Engine-Directory-Traversal
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application Apache Tomcat removed
Category tag group CVE2007 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Potential Disclosure removed
Category tag group TCP Client Traffic removed
SituationHTTP_CSH-Suspicious-Host-Header
Fingerprint regexp changed
ApplicationILoveIM
ApplicationSopCast
ApplicationBaidu-Hi
ApplicationNbc.com-Streaming
ApplicationRubicon-Project
ApplicationTOR
ApplicationNordVPN
IPListYemen
IPListIraq
IPListSaudi Arabia
IPListIran
IPListCyprus
IPListSyria
IPListArmenia
IPListDR Congo
IPListUganda
IPListSeychelles
IPListJordan
IPListLebanon
IPListUnited Arab Emirates
IPListIsrael
IPListTurkey
IPListEgypt
IPListGreece
IPListEstonia
IPListLatvia
IPListLithuania
IPListMoldova
IPListBelarus
IPListFinland
IPListÅland Islands
IPListUkraine
IPListHungary
IPListBulgaria
IPListPoland
IPListRomania
IPListZimbabwe
IPListZambia
IPListMauritius
IPListEswatini
IPListSouth Africa
IPListMayotte
IPListAfghanistan
IPListPakistan
IPListBangladesh
IPListSri Lanka
IPListBhutan
IPListIndia
IPListBritish Indian Ocean Territory
IPListNepal
IPListMyanmar
IPListKazakhstan
IPListVietnam
IPListThailand
IPListIndonesia
IPListTaiwan
IPListPhilippines
IPListMalaysia
IPListChina
IPListHong Kong
IPListCambodia
IPListSouth Korea
IPListJapan
IPListSingapore
IPListRussia
IPListMongolia
IPListAustralia
IPListFederated States of Micronesia
IPListPapua New Guinea
IPListTuvalu
IPListNauru
IPListVanuatu
IPListNorfolk Island
IPListNew Zealand
IPListPortugal
IPListLiberia
IPListIvory Coast
IPListNigeria
IPListGuinea-Bissau
IPListMauritania
IPListGibraltar
IPListGambia
IPListNiger
IPListTunisia
IPListSpain
IPListMorocco
IPListAlgeria
IPListDenmark
IPListIceland
IPListUnited Kingdom
IPListSwitzerland
IPListSweden
IPListNetherlands
IPListAustria
IPListBelgium
IPListGermany
IPListLuxembourg
IPListIreland
IPListFrance
IPListLiechtenstein
IPListGuernsey
IPListSlovakia
IPListCzechia
IPListNorway
IPListVatican City
IPListItaly
IPListCroatia
IPListNamibia
IPListSaint Pierre and Miquelon
IPListGreenland
IPListBrazil
IPListFalkland Islands
IPListDominican Republic
IPListMartinique
IPListAnguilla
IPListSaint Lucia
IPListBritish Virgin Islands
IPListMontserrat
IPListSaint Martin
IPListSaint Barthélemy
IPListGuadeloupe
IPListGuatemala
IPListHonduras
IPListNicaragua
IPListCosta Rica
IPListVenezuela
IPListEcuador
IPListColombia
IPListPanama
IPListArgentina
IPListChile
IPListBolivia
IPListPeru
IPListMexico
IPListFrench Polynesia
IPListKiribati
IPListTokelau
IPListWallis and Futuna
IPListSamoa
IPListNorthern Mariana Islands
IPListGuam
IPListU.S. Virgin Islands
IPListCanada
IPListUnited States
IPListPalestine
IPListSerbia
IPListAntarctica
IPListSint Maarten
IPListCuraçao
IPListBonaire, Sint Eustatius, and Saba
IPListTOR exit nodes IP Address List
IPListAmazon AMAZON
IPListAmazon EC2
IPListTOR relay nodes IP Address List
IPListAmazon AMAZON il-central-1
IPListBotnet IP Address List
IPListMalicious Site IP Address List
IPListNordVPN Servers IP Address List
IPListAmazon AMAZON eu-central-1
IPListAmazon MEDIA_PACKAGE_V2
IPListAmazon AMAZON eu-west-1
IPListAmazon AMAZON eu-west-3
IPListAmazon EC2 eu-west-3
IPListAmazon AMAZON us-east-1

HOW TO IMPORT AND ACTIVATE THE DYNAMIC UPDATE PACKAGE

  1. Download the dynamic update package, then make sure that the checksums for the original files and the files that you have downloaded match.
  2. In the Management Client, select Menu > File > Import > Import Update Packages.
  3. Browse to the file, select it, then click Import.
  4. Select  Configuration, then browse to Administration > Other Elements > Updates.
  5. Right-click the imported dynamic update package, then select Activate.
  6. When the activation is finished, refresh the policy on all NGFW Engines. If your policy uses a custom template, you might need to edit the policy.

DISCLAIMER AND COPYRIGHT

Copyright © 2023 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.