Release notes for update package 1644-5242

This update package improves the detection capabilities of the Forcepoint NGFW system.

RELEASE DATE:    Thursday October 26, 2023
MD5 CHECKSUM:    d4bbc4a3295899fb1f399f5e84bb7f15
SHA1 CHECKSUM:    10fbf157f80b48a3ffef0184a857c16f5c7203da
SHA256 CHECKSUM:    f762fc79672d7200d12c44cb2a8f31f3ca64409909c3ce783e36a4ec0c51524d

UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Forcepoint NGFW Security Management Center:    6.5.1.10631
- Forcepoint NGFW:    6.5.1.21108

List of detected attacks in this update package:

Risk levelDescriptionReferenceVulnerability
High     An attempt to exploit a vulnerability in mySCADA myPRO detected     CVE-2023-28384     mySCADA-myPRO-CVE-2023-28384-Command-Injection
High     An attempt to exploit a vulnerability in Hexojs Hexo detected     CVE-2023-39584     Hexojs-Hexo-Includecodetag-Path-Traversal
High     An attempt to exploit a vulnerability in Netgear ProSAFE NMS300 detected     CVE-2023-38095     NetGear-ProSafe-NMS300-CVE-2023-38095-Arbitrary-File-Upload
High     An attempt to exploit a vulnerability in Cacti detected     CVE-2023-39362     Cacti-Group-Cacti-SNMP_Escape_String-Command-Injection
High     An attempt to exploit a vulnerability in Linux Kernel detected     CVE-2023-32248     Linux-Kernel-Ksmbd-SMB2_Query_Info-Handling-Null-Pointer-Dereference
High     An attempt to exploit a vulnerability in Linux Kernel detected     CVE-2022-47938     Linux-Kernel-Ksmbd-SMB2_Tree_Connect-Handling-Out-Of-Bounds-Read
High     An attempt to exploit a vulnerability in Microsoft Windows themes detected     No CVE/CAN Portable-Executable-msstyles-File-Transfer
High     An attempt to exploit a vulnerability in Rockwell Automation ThinManager ThinServer detected     CVE-2023-2915     Rockwell-Automation-Thinmanager-Type-21-Synchronization-Directory-Traversal
High     An attempt to exploit a vulnerability in Microsoft Windows detected     CVE-2023-29363     Microsoft-Windows-PGM-PARITY_PRM_TGS-Handling-Code-Execution
High     An attempt to exploit a vulnerability in RARLAB WinRAR detected     CVE-2023-40477     RARLAB-WinRAR-Recovery-Volume-Out-Of-Bounds-Write

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

TCP SMB Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Linux-Kernel-Ksmbd-SMB2_Query_Info-Handling-Null-Pointer-Dereference CVE-2023-32248 SMB-TCP_Linux-Kernel-Ksmbd-SMB2_Query_Info-Handling-Null-Pointer-Dereference Potential Compromise
High Linux-Kernel-Ksmbd-SMB2_Tree_Connect-Handling-Out-Of-Bounds-Read CVE-2022-47938 SMB-TCP_Linux-Kernel-Ksmbd-SMB2_Tree_Connect-Handling-Out-Of-Bounds-Read Potential Compromise

TCP Client Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Rockwell-Automation-Thinmanager-Type-21-Synchronization-Directory-Traversal CVE-2023-2915 Generic_CS-Rockwell-Automation-Thinmanager-Type-21-Synchronization-Directory-Traversal Suspected Compromise

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High NetGear-ProSafe-NMS300-CVE-2023-38095-Arbitrary-File-Upload CVE-2023-38095 HTTP_CRL-NetGear-ProSafe-NMS300-CVE-2023-38095-Arbitrary-File-Upload Suspected Compromise
High Cacti-Group-Cacti-SNMP_Escape_String-Command-Injection CVE-2023-39362 HTTP_CRL-Cacti-Group-Cacti-SNMP_Escape_String-Command-Injection Suspected Compromise

SMB Client Header Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Portable-Executable-msstyles-File-Transfer No CVE/CAN SMB-TCP_Microsoft-Windows-Themes-Race-Condition Suspected Compromise

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High mySCADA-myPRO-CVE-2023-28384-Command-Injection CVE-2023-28384 File-Text_mySCADA-myPRO-CVE-2023-28384-Command-Injection Suspected Compromise
High Hexojs-Hexo-Includecodetag-Path-Traversal CVE-2023-39584 File-Text_Hexojs-Hexo-Includecodetag-Path-Traversal Suspected Compromise

Other Binary File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High RARLAB-WinRAR-Recovery-Volume-Out-Of-Bounds-Write CVE-2023-40477 File-Binary_RARLAB-WinRAR-Recovery-Volume-Out-Of-Bounds-Write Suspected Compromise

Generic IP Fingerprinting Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Microsoft-Windows-PGM-PARITY_PRM_TGS-Handling-Code-Execution CVE-2023-29363 IPv4_Microsoft-Windows-PGM-PARITY_PRM_TGS-Handling-Code-Execution Suspected Compromise

Updated detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Log4j-Denial-of-Service-CVE-2021-45105 CVE-2021-45105 HTTP_CS-Log4j-Denial-of-Service-CVE-2021-45105 Suspected Compromise
Fingerprint regexp changed

TCP SMB Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
Critical Samba-Remote-Code-Execution-From-Writable-Share CVE-2017-7494 SMB-TCP_Samba-Remote-Code-Execution-From-Writable-Share Compromise
Fingerprint regexp changed

HTTP Request Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Apache-Httpd-Mod_Log_Config-Cookie-Handling-Denial-Of-Service CVE-2012-0021 HTTP_CSH-Apache-Httpd-Mod_Log_Config-Cookie-Handling-Denial-Of-Service Potential Compromise
Fingerprint regexp changed
Low Apache-HTTP-Server-Mod_log_Config-Denial-Of-Service CVE-2014-0098 HTTP_CSH-Apache-HTTP-Server-Mod_log_Config-Denial-Of-Service Possibly Unwanted Content
Fingerprint regexp changed
High Apache-Struts-Cookieinterceptor-Classloader-Security-Bypass CVE-2014-0113 HTTP_CHS-Apache-Struts-Cookieinterceptor-Classloader-Security-Bypass Suspected Compromise
Fingerprint regexp changed
High Invalid-Base64-Cookie No CVE/CAN HTTP_CSH-Invalid-Base64-Cookie Suspected Attack Related Anomalies
Fingerprint regexp changed
High Trend-Micro-Threat-Discovery-Appliance-Remote-Command-Execution CVE-2016-7552 HTTP_CSH-Trend-Micro-Threat-Discovery-Appliance-Remote-Command-Execution Suspected Compromise
Fingerprint regexp changed
High Apache-Httpd-Error-Code-400-Httponly-Cookie-Handling-Information-Disclosure CVE-2012-0053 HTTP_CSH-Very-Long-Cookie-Header Potential Compromise
Fingerprint regexp changed
High PHP-4-Unserialize-ZVAL-Reference-Counter-Overflow CVE-2007-1286 HTTP_CSH-PHP-4-Unserialize-ZVAL-Reference-Counter-Overflow Suspected Compromise
Fingerprint regexp changed
High Western-Digital-Arkeia-Unauthenticated-Script-Upload No CVE/CAN HTTP_CSH-Western-Digital-Arkeia-Unauthenticated-Script-Upload Suspected Compromise
Fingerprint regexp changed
High Haproxy-Client-And-Server-Cookie-Parsing-Denial-Of-Service CVE-2019-14241 HTTP_CSH-Haproxy-Client-And-Server-Cookie-Parsing-Denial-Of-Service Potential Compromise
Fingerprint regexp changed
High Cisco-Small-Business-RV-Series-Authentication-Bypass-And-Command-Injection CVE-2021-1473 HTTP_CSH-Cisco-Small-Business-RV-Series-Authentication-Bypass-And-Command-Injection Suspected Compromise
Fingerprint regexp changed
High Gogs-File-Upload-Tree_path-Command-Injection CVE-2022-0415 HTTP_CSH-Gogs-File-Upload-Tree_path-Command-Injection Suspected Compromise
Fingerprint regexp changed
High Zabbix-Unsafe-Client-Side-Session-Storage-CVE-2022-23131 CVE-2022-23131 HTTP_CSH_Zabbix-Unsafe-Client-Side-Session-Storage-CVE-2022-23131 Suspected Compromise
Fingerprint regexp changed
High Wordpress-Limit-Login-Attempts-Plugin-Stored-Cross-Site-Scripting CVE-2023-1861 HTTP_CSH-Wordpress-Limit-Login-Attempts-Plugin-Stored-Cross-Site-Scripting Suspected Compromise
Fingerprint regexp changed
High Progress-MOVEit-Transfer-Userprocesspasschangerequest-SQL-Injection CVE-2023-36934 HTTP_CSH-Progress-MOVEit-Transfer-Userprocesspasschangerequest-SQL-Injection Suspected Compromise
Fingerprint regexp changed

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Jenkins-Plot-Plugin-Stored-Cross-Site-Scripting CVE-2022-34783 HTTP_CRL-Jenkins-Plot-Plugin-Stored-Cross-Site-Scripting Suspected Compromise
Description has changed
Category tag group CVE2021 added
Fingerprint regexp changed

Identified Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Microsoft-Exchange-Approvedapplication-Insecure-Deserialization CVE-2023-36756 File-TextId_Microsoft-Exchange-Approvedapplication-Insecure-Deserialization Suspected Compromise
Description has changed

LIST OF OTHER CHANGES:

New objects:

TypeName
CategoryHexo
SituationHTTP_CSC-Shared-Variables
ApplicationAmazon Prime
ApplicationApple TV

Updated objects:

TypeNameChanges
SituationFile_Blocked-Bad-SHA1-Hash
Detection mechanism updated
SituationURL_List-DNS-Over-HTTPS
Detection mechanism updated
IPListSomalia
IPListIraq
IPListSaudi Arabia
IPListIran
IPListCyprus
IPListSyria
IPListKenya
IPListDR Congo
IPListSeychelles
IPListJordan
IPListLebanon
IPListKuwait
IPListBahrain
IPListUnited Arab Emirates
IPListIsrael
IPListTurkey
IPListEgypt
IPListSudan
IPListGreece
IPListEstonia
IPListLatvia
IPListAzerbaijan
IPListLithuania
IPListMoldova
IPListBelarus
IPListFinland
IPListUkraine
IPListNorth Macedonia
IPListHungary
IPListBulgaria
IPListAlbania
IPListPoland
IPListRomania
IPListZimbabwe
IPListBotswana
IPListMauritius
IPListSouth Africa
IPListAfghanistan
IPListPakistan
IPListBangladesh
IPListSri Lanka
IPListBhutan
IPListIndia
IPListMaldives
IPListNepal
IPListMyanmar
IPListKazakhstan
IPListVietnam
IPListThailand
IPListIndonesia
IPListLaos
IPListTaiwan
IPListPhilippines
IPListMalaysia
IPListChina
IPListHong Kong
IPListMacao
IPListCambodia
IPListSouth Korea
IPListJapan
IPListNorth Korea
IPListSingapore
IPListRussia
IPListAustralia
IPListVanuatu
IPListNorfolk Island
IPListNew Zealand
IPListLibya
IPListCongo Republic
IPListPortugal
IPListGhana
IPListNigeria
IPListGibraltar
IPListGambia
IPListSpain
IPListMorocco
IPListDenmark
IPListIceland
IPListUnited Kingdom
IPListSwitzerland
IPListSweden
IPListNetherlands
IPListAustria
IPListBelgium
IPListGermany
IPListLuxembourg
IPListIreland
IPListFrance
IPListAndorra
IPListLiechtenstein
IPListSlovakia
IPListCzechia
IPListNorway
IPListItaly
IPListSlovenia
IPListMontenegro
IPListCroatia
IPListAngola
IPListBarbados
IPListParaguay
IPListUruguay
IPListBrazil
IPListDominican Republic
IPListMartinique
IPListBermuda
IPListDominica
IPListSaint Lucia
IPListBritish Virgin Islands
IPListSt Vincent and Grenadines
IPListGuadeloupe
IPListCayman Islands
IPListBelize
IPListGuatemala
IPListCosta Rica
IPListVenezuela
IPListColombia
IPListPanama
IPListArgentina
IPListChile
IPListBolivia
IPListPeru
IPListMexico
IPListNorthern Mariana Islands
IPListGuam
IPListPuerto Rico
IPListU.S. Virgin Islands
IPListU.S. Outlying Islands
IPListAmerican Samoa
IPListCanada
IPListUnited States
IPListPalestine
IPListSerbia
IPListSint Maarten
IPListTOR exit nodes IP Address List
IPListAmazon AMAZON
IPListWebex Servers IP Address List
IPListAmazon ROUTE53_HEALTHCHECKS
IPListAmazon EC2
IPListGoogle Servers
IPListMicrosoft Azure datacenter for australiaeast
IPListMicrosoft Azure datacenter for australiasoutheast
IPListMicrosoft Azure datacenter for brazilsouth
IPListMicrosoft Azure datacenter for canadacentral
IPListTOR relay nodes IP Address List
IPListMicrosoft Azure datacenter for canadaeast
IPListMicrosoft Azure datacenter for centralindia
IPListMicrosoft Azure datacenter for centralus
IPListMicrosoft Azure datacenter for eastus2euap
IPListMicrosoft Azure datacenter for eastus2
IPListMicrosoft Azure datacenter for eastus
IPListMicrosoft Azure datacenter for centralfrance
IPListMicrosoft Azure datacenter for southfrance
IPListMicrosoft Azure datacenter for japaneast
IPListMicrosoft Azure datacenter for japanwest
IPListMicrosoft Azure datacenter for koreacentral
IPListMicrosoft Azure datacenter for koreasouth
IPListMicrosoft Azure datacenter for northcentralus
IPListMicrosoft Azure datacenter for northeurope
IPListMicrosoft Azure datacenter for southcentralus
IPListMicrosoft Azure datacenter for southindia
IPListMicrosoft Azure datacenter for southeastasia
IPListMicrosoft Azure datacenter for uksouth
IPListMicrosoft Azure datacenter for ukwest
IPListMicrosoft Azure datacenter for westcentralus
IPListMicrosoft Azure datacenter for westeurope
IPListMicrosoft Azure datacenter for westindia
IPListMicrosoft Azure datacenter for westus2
IPListMicrosoft Azure datacenter for westus
IPListMicrosoft Azure datacenter
IPListZscaler IP Address List
IPListOkta IP Address List
IPListBotnet IP Address List
IPListMalicious Site IP Address List
IPListWebex Teams
IPListMicrosoft Azure datacenter for malaysiasouth
IPListNordVPN Servers IP Address List
IPListAmazon AMAZON ca-central-1
IPListAmazon AMAZON eu-central-1
IPListAmazon AMAZON ap-southeast-5
IPListAmazon AMAZON eu-west-1
IPListAmazon EC2 ap-southeast-5
IPListAmazon EC2 eu-west-1
IPListAmazon AMAZON us-east-1
IPListAmazon EC2 us-east-1
IPListAmazon AMAZON us-west-2
IPListAmazon ROUTE53_HEALTHCHECKS us-west-2
IPListAmazon EC2 us-west-2
IPListMicrosoft Azure datacenter for brazilse
IPListMicrosoft Azure datacenter for germanyn
IPListMicrosoft Azure datacenter for germanywc
IPListMicrosoft Azure datacenter for norwaye
IPListMicrosoft Azure datacenter for norwayw
IPListMicrosoft Azure datacenter for southafricanorth
IPListMicrosoft Azure datacenter for southafricawest
IPListMicrosoft Azure datacenter for switzerlandn
IPListMicrosoft Azure datacenter for switzerlandw
IPListMicrosoft Azure datacenter for uaecentral
IPListMicrosoft Azure datacenter for uaenorth
IPListMicrosoft Azure service for AzureCloud
IPListMicrosoft Azure service for AzureKeyVault
IPListMicrosoft Azure service for AzureMonitor
IPListMicrosoft Azure service for EventHub
IPListMicrosoft Azure service for LogicApps
IPListMicrosoft Azure service for LogicAppsManagement
IPListMicrosoft Azure datacenter for swedencentral
IPListMicrosoft Azure datacenter for swedensouth
IPListMicrosoft Azure datacenter for westus3
IPListMicrosoft Azure service for EOPExternalPublishedIPs
IPListMicrosoft Azure datacenter for qatarcentral
IPListMicrosoft Azure datacenter for israelcentral
IPListMicrosoft Azure datacenter for italynorth
IPListMicrosoft Azure datacenter for polandcentral
IPListTwilio SIP
IPListTwilio media
SituationHTTP_CSU-Shared-Variables
SituationHTTP_CSH-Shared-Variables
Fingerprint regexp changed
SituationSMB-TCP_CHS-SMB2-Negotiate-Request
Fingerprint regexp changed
SituationSMB-TCP_SHS-SMB2-Tree-Connect-Response
Fingerprint regexp changed
SituationHTTP_PSU-Shared-Variables
Fingerprint regexp changed
SituationFile-Name_Shared-Variables
ApplicationYouTube
ApplicationWebex
ApplicationSMB2
ApplicationTOR
ApplicationDNS-Over-HTTPS
ApplicationSMB3
ApplicationWebex-Teams
ApplicationNordVPN
SituationURL_List-DNS-Over-HTTPS
Detection mechanism updated

HOW TO IMPORT AND ACTIVATE THE DYNAMIC UPDATE PACKAGE

  1. Download the dynamic update package, then make sure that the checksums for the original files and the files that you have downloaded match.
  2. In the Management Client, select Menu > File > Import > Import Update Packages.
  3. Browse to the file, select it, then click Import.
  4. Select  Configuration, then browse to Administration > Other Elements > Updates.
  5. Right-click the imported dynamic update package, then select Activate.
  6. When the activation is finished, refresh the policy on all NGFW Engines. If your policy uses a custom template, you might need to edit the policy.

DISCLAIMER AND COPYRIGHT

Copyright © 2023 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.