Release notes for update package 1650-5242

This update package improves the detection capabilities of the Forcepoint NGFW system.

RELEASE DATE:    Monday November 13, 2023
MD5 CHECKSUM:    c889bd5242525bfea2886f71820f37b6
SHA1 CHECKSUM:    cc46af61115d717200061a151c32fb837088d264
SHA256 CHECKSUM:    22f9f9a1960f1cda6640c91a9157d49653e3839261e56a85fee061e49595739a

UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Forcepoint NGFW Security Management Center:    6.5.1.10631
- Forcepoint NGFW:    6.5.1.21108

List of detected attacks in this update package:

Risk levelDescriptionReferenceVulnerability
High     A DNS query containing base64-encoded data detected     No CVE/CAN DNS-Query-Containing-Base64-Encoded-Data
High     An attempt to exploit a vulnerability in LG Simple Editor detected     CVE-2023-40498     LG-Simple-Editor-Remote-Code-Execution
High     An attempt to exploit a vulnerability in XWiki.org Change Request extension detected     CVE-2023-45138     Xwiki.org-Change-Request-Extension-Code-Injection
High     An attempt to exploit a vulnerability in Korenix JetWave detected     CVE-2023-23294     Korenix-Jetwave-Command-Injection-CVE-2023-23294
High     An attempt to exploit a vulnerability in Stagil Navigation for Jira detected     CVE-2023-26255     Stagil-Navigation-For-JIRA-Path-Traversal-Vulnerabilities
High     An attempt to exploit a vulnerability in Synology SafeAccess detected     CVE-2020-27660     Synology-Safeaccess-SQL-Injection
High     An attempt to exploit a vulnerability in Siretta QUARTZ-GOLD detected     CVE-2022-40969     Siretta-Quartz-Gold-Router-OS-Command-Injection
High     An attempt to exploit a vulnerability in Siretta QUARTZ-GOLD detected     CVE-2022-38459     Siretta-Quartz-Gold-Router-Stack-Buffer-Overflow
High     An attempt to exploit a vulnerability in Canonical ksmdb-tools detected     No CVE/CAN Canonical-Ksmbd-Tools-Ksmbd.Mountd-SMB_Read_Sid-Heap-Buffer-Overflow
High     An attempt to exploit a vulnerability in F5 Networks BIG-IP detected     CVE-2023-46747     F5-Request-Smuggling-CVE-2023-46747
High     An attempt to exploit a vulnerability in VISAM VBASE Automation Base detected     CVE-2022-45876     Visam-Vbase-Automation-Base-Projektinfo-File-Parsing-External-Entity-Injection

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High LG-Simple-Editor-Remote-Code-Execution CVE-2023-40498 HTTP_CS-LG-Simple-Editor-Remote-Code-Execution Suspected Compromise

DNS UDP Client Message

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High DNS-Query-Containing-Base64-Encoded-Data No CVE/CAN DNS-UDP_DNS-Query-Containing-Base64-Encoded-Data Potential Compromise

HTTP Request Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High F5-Request-Smuggling-CVE-2023-46747 CVE-2023-46747 HTTP_CSH-F5-Request-Smuggling-CVE-2023-46747 Suspected Compromise

MSRPC Client Payload Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Canonical-Ksmbd-Tools-Ksmbd.Mountd-SMB_Read_Sid-Heap-Buffer-Overflow No CVE/CAN MSRPC-TCP_CPS--Canonical-Ksmbd-Tools-Ksmbd.Mountd-SMB_Read_Sid-Heap-Buffer-Overflow Suspected Compromise

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Xwiki.org-Change-Request-Extension-Code-Injection CVE-2023-45138 HTTP_CRL-Xwiki.org-Change-Request-Extension-Code-Injection Suspected Compromise
High Korenix-Jetwave-Command-Injection-CVE-2023-23294 CVE-2023-23294 HTTP_CRL-Korenix-Jetwave-Command-Injection-CVE-2023-23294 Suspected Compromise
High Stagil-Navigation-For-JIRA-Path-Traversal-Vulnerabilities CVE-2023-26255 HTTP_CRL-Stagil-Navigation-For-JIRA-Path-Traversal-Vulnerabilities Suspected Compromise
High Synology-Safeaccess-SQL-Injection CVE-2020-27660 HTTP_CRL-Synology-Safeaccess-SQL-Injection Suspected Compromise
High Siretta-Quartz-Gold-Router-OS-Command-Injection CVE-2022-40969 HTTP_CRL-Siretta-Quartz-Gold-Router-OS-Command-Injection Suspected Compromise
High Siretta-Quartz-Gold-Router-Stack-Buffer-Overflow CVE-2022-38459 HTTP_CRL-Siretta-Quartz-Gold-Router-Stack-Buffer-Overflow Suspected Compromise

Identified Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Visam-Vbase-Automation-Base-Projektinfo-File-Parsing-External-Entity-Injection CVE-2022-45876 File-TextId_Visam-Vbase-Automation-Base-Projektinfo-File-Parsing-External-Entity-Injection Suspected Compromise

Updated detected attacks:

UDP Packet Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High W32/Nuwar@mm-Malware No CVE/CAN Generic_UDP-W32/Nuwar@mm-Encrypted-Traffic Botnet
Detection mechanism updated

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Realtek-SDK-formSysCmd-Command-Execution-CVE-2021-35395 CVE-2021-35395 HTTP_CRL-Realtek-SDK-formSysCmd-Command-Execution-CVE-2021-35395 Suspected Compromise
Description has changed

SMB Client Header Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Portable-Executable-msstyles-File-Transfer No CVE/CAN SMB-TCP_CHS-Microsoft-Windows-Themes-Race-Condition Suspected Compromise
Name: SMB-TCP_Microsoft-Windows-Themes-Race-Condition->SMB-TCP_CHS-Microsoft-Windows-Themes-Race-Condition
Description has changed
Category tag group MS2023-09 added
Category tag group CVE2023 added

OLE File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Microsoft-Excel-Memory-Corruption-CVE-2012-1886 CVE-2012-1886 File-OLE_Microsoft-Excel-Memory-Corruption-CVE-2012-1886 Potential Compromise
Detection mechanism updated
High Oracle-Outside-In-Excel-Propertysetstream-Out-Of-Bounds-Write CVE-2018-3010 File-OLE_Oracle-Outside-In-Excel-Propertysetstream-Out-Of-Bounds-Write Potential Compromise
Detection mechanism updated
High Delta-Industrial-Automation-DOPSoft-XLS-Index-Record-Parsing-Buffer-Overflow CVE-2021-38406 File-OLE_Delta-Industrial-Automation-DOPSoft-XLS-Index-Record-Parsing-Buffer-Overflow Potential Compromise
Detection mechanism updated

Identified Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Shellcode-Encoder No CVE/CAN File-TextId_x86-X41nop-Shellcode Potential Compromise
Fingerprint regexp changed
High Visam-Vbase-Automation-Base-Webremote-File-Parsing-External-Entity-Injection CVE-2022-46286 File-TextId_Visam-Vbase-Automation-Base-Webremote-File-Parsing-External-Entity-Injection Suspected Compromise
Fingerprint regexp changed

LIST OF OTHER CHANGES:

New objects:

TypeName
CategoryCanonical ksmdb-tools
CategoryKorenix JetWave
CategoryStagil Navigation for Jira
CategorySiretta QUARTZ-GOLD
Certificate AuthorityAmazon RSA 2048 M03
Certificate AuthorityAmazon ECDSA 256 M03
Certificate AuthorityANTIC DV CA
Certificate Authoritycyber_Folks
Certificate AuthorityYekta Domain Validated SSL CA 1
Certificate AuthorityUCA Global G2 Root (2)
Certificate AuthorityD-TRUST SSL CA 2 2020
Certificate AuthorityTU Dresden CA
Certificate AuthorityDigiCert G2 TLS EU RSA4096 SHA384 2022 CA1
Certificate AuthorityGeoTrust G2 TLS CN RSA4096 SHA256 2022 CA1
Certificate AuthorityVerokey Verified Business G2
Certificate AuthorityAetna Inc. Secure EV CA
Certificate AuthorityGeoTrust EV CN RSA G1
Certificate AuthoritySecure Site Pro Extended Validation CA
Certificate AuthorityDigiCert G5 TLS RSA4096 SHA384 2021 CA1
Certificate AuthorityThawte G5 TLS RSA4096 SHA384 2022 CA1
Certificate AuthorityNamirial OV SSL CA 2023
Certificate AuthorityAlibaba Cloud GCC R3 AlphaSSL CA 2023
Certificate AuthorityGlobalSign Atlas R3 AlphaSSL CA 2023 Q2
Certificate AuthorityGlobalSign Atlas R3 DV TLS CA 2023 Q2
Certificate AuthorityGlobalSign Atlas R3 DV TLS CA 2023 Q3
Certificate AuthorityGlobalSign Atlas R3 OV TLS CA 2023 Q2
Certificate AuthorityGlobalSign Atlas R3 OV TLS CA 2023 Q3
Certificate AuthorityGlobalSign CloudSSL CA - SHA256 - G3
Certificate AuthorityGlobalSign (1)
Certificate AuthorityGo Daddy Root Certificate Authority - G2 (1)
Certificate AuthorityHARICA Institutional TLS RSA 2
Certificate AuthorityNETLOCK Trust EV CA 3
Certificate AuthorityGEANT EV ECC CA 4
Certificate AuthorityInCommon ECC Server CA 2
Certificate AuthorityTrusted Secure ECC Certificate Authority
Certificate AuthorityCATrust RSA OV SSL CA
Certificate AuthorityCorporation Service Company RSA OV SSL CA
Certificate AuthorityEUNETIC RSA Domain Validation Secure Server CA 3
Certificate AuthorityGoGetSSL RSA EV CA
Certificate AuthoritySecureCore RSA EV CA
Certificate AuthorityZwTrus OV SSL CA
Certificate AuthoritySwissSign RSA TLS DV ICA 2022 - 1
Certificate AuthoritySwissSign RSA TLS OV ICA 2022 - 1
Certificate AuthorityAmazon ECDSA 384 M03
Certificate AuthorityTeleSec Business CA 1
Certificate AuthorityDigiCert Secure Site ECC CA-1
Certificate AuthorityGeoTrust Global G2 TLS EUR RSA4096 SHA384 2023 CA1
Certificate AuthorityMicrosoft Azure RSA TLS Issuing CA 03
Certificate AuthorityMicrosoft Azure RSA TLS Issuing CA 04
Certificate AuthorityMicrosoft Azure RSA TLS Issuing CA 07
Certificate AuthorityMicrosoft Azure RSA TLS Issuing CA 08
Certificate AuthorityDigiCert TLS ECC P384 Root G5 (1)
Certificate AuthorityMicrosoft Azure ECC TLS Issuing CA 05
Certificate AuthorityGeoTrust G5 TLS ECC P-384 SHA384 2022 CA2
Certificate AuthorityEntrust Root Certification Authority - EC1 (1)
Certificate AuthorityGlobalSign Atlas R3 AlphaSSL CA 2023 Q3
Certificate AuthorityGlobalSign Atlas R3 AlphaSSL CA 2023 Q4
Certificate AuthorityGlobalSign Atlas R3 DV TLS CA 2023 Q4
Certificate AuthorityGlobalSign Atlas R3 OV TLS CA 2023 Q4
Certificate AuthorityGlobalSign GCC R6 AlphaSSL CA 2023
Certificate Authoritye-Szigno Class3 SSL CA 2017
Certificate AuthoritySECOM Passport for Web EV 2.0 CA (1)
Certificate AuthorityTrustAsia ECC DV TLS CA G3
Certificate AuthorityE-SAFER ORGANIZATION SSL CA
Certificate AuthorityEUNETIC RSA Organization Validation Secure Server CA 3
Certificate AuthorityGandi RSA Domain Validation Secure Server CA 3
Certificate AuthorityGandi RSA Organization Validation Secure Server CA 3
Certificate AuthorityGENIOUS RSA Domain Validation Secure Server CA
Certificate AuthorityInCommon RSA IGTF Server CA 3
Certificate AuthorityNetwork Solutions RSA DV SSL CA 3
Certificate AuthorityNetwork Solutions RSA OV SSL CA 3
Certificate AuthorityValid Certificadora RSA OV SSL CA
Certificate AuthorityXinnet DV SSL
Certificate AuthorityTWCA Secure SSL Certification Authority (1)
Certificate AuthorityTWCA Secure SSL Certification Authority (2)
Certificate AuthorityViking Cloud Organization Validation CA, Level 1
IPListGoogle Cloud IP Address List for us-west8

Updated objects:

TypeNameChanges
Certificate AuthorityWoTrus DV Server CA
SituationURL_List-DNS-Over-HTTPS
Detection mechanism updated
IPListSaudi Arabia
IPListIran
IPListCyprus
IPListTanzania
IPListSyria
IPListArmenia
IPListKenya
IPListDR Congo
IPListSeychelles
IPListQatar
IPListBahrain
IPListUnited Arab Emirates
IPListIsrael
IPListTurkey
IPListEthiopia
IPListEgypt
IPListSudan
IPListGreece
IPListEstonia
IPListLatvia
IPListAzerbaijan
IPListLithuania
IPListSvalbard and Jan Mayen
IPListGeorgia
IPListMoldova
IPListBelarus
IPListFinland
IPListÅland Islands
IPListUkraine
IPListHungary
IPListBulgaria
IPListPoland
IPListRomania
IPListKosovo
IPListMauritius
IPListSouth Africa
IPListMadagascar
IPListAfghanistan
IPListPakistan
IPListBangladesh
IPListSri Lanka
IPListBhutan
IPListIndia
IPListMaldives
IPListMyanmar
IPListUzbekistan
IPListKazakhstan
IPListKyrgyzstan
IPListPalau
IPListVietnam
IPListThailand
IPListIndonesia
IPListTaiwan
IPListPhilippines
IPListMalaysia
IPListChina
IPListHong Kong
IPListMacao
IPListCambodia
IPListSouth Korea
IPListJapan
IPListNorth Korea
IPListSingapore
IPListCook Islands
IPListTimor-Leste
IPListRussia
IPListAustralia
IPListNew Zealand
IPListLibya
IPListCameroon
IPListSenegal
IPListPortugal
IPListIvory Coast
IPListNigeria
IPListBurkina Faso
IPListGuinea-Bissau
IPListGibraltar
IPListGuinea
IPListTunisia
IPListSpain
IPListMorocco
IPListMalta
IPListDenmark
IPListIceland
IPListUnited Kingdom
IPListSwitzerland
IPListSweden
IPListThe Netherlands
IPListAustria
IPListBelgium
IPListGermany
IPListLuxembourg
IPListIreland
IPListFrance
IPListAndorra
IPListLiechtenstein
IPListSlovakia
IPListCzechia
IPListNorway
IPListVatican City
IPListSan Marino
IPListItaly
IPListSlovenia
IPListMontenegro
IPListCroatia
IPListBosnia and Herzegovina
IPListAngola
IPListParaguay
IPListUruguay
IPListBrazil
IPListJamaica
IPListDominican Republic
IPListCuba
IPListBahamas
IPListTrinidad and Tobago
IPListAruba
IPListBelize
IPListGuatemala
IPListHonduras
IPListCosta Rica
IPListVenezuela
IPListEcuador
IPListColombia
IPListPanama
IPListArgentina
IPListChile
IPListBolivia
IPListPeru
IPListMexico
IPListFrench Polynesia
IPListKiribati
IPListTokelau
IPListWallis and Futuna
IPListNorthern Mariana Islands
IPListGuam
IPListAmerican Samoa
IPListCanada
IPListUnited States
IPListPalestine
IPListSerbia
IPListCuraçao
IPListTOR exit nodes IP Address List
IPListAmazon AMAZON
IPListAmazon EC2
IPListAkamai Servers
IPListTOR relay nodes IP Address List
IPListAmazon AMAZON ap-southeast-1
IPListNordVPN Servers IP Address List
IPListAmazon AMAZON us-east-1
IPListAmazon EC2 us-east-1
SituationHTTP_CSU-Shared-Variables
SituationHTTP_CSH-Shared-Variables
Fingerprint regexp changed
SituationFile-PDF_Adobe-Reader-Heap-Overflow-Vulnerability-CVE-2013-0621
Description has changed
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application Adobe Reader removed
Category tag group CVE2013 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Potential Compromise removed
Category tag group Severity over 4 Correlation Dependency Group removed
SituationFile-TextId_Shared-Variables
Fingerprint regexp changed
SituationFile-Name_Shared-Variables
ApplicationHulu
Application Port "tcp/443 tls: mandatory" added
TLS Match identification changed from to true
ApplicationGoogle-Play
Application Port "tcp/443 tls: free" -> "tcp/443 tls: mandatory"
TLS Match identification changed from false to true
ApplicationAkamai-Infrastructure
ApplicationTOR
ApplicationManoto
ApplicationDNS-Over-HTTPS
ApplicationGeneric-TLS-1.3
Application detection context content changed
ApplicationGeneric-TLS-1.2
Application detection context content changed
ApplicationGeneric-TLS-1.1
Application detection context content changed
ApplicationGeneric-TLS-1.0
Application detection context content changed
ApplicationNordVPN

HOW TO IMPORT AND ACTIVATE THE DYNAMIC UPDATE PACKAGE

  1. Download the dynamic update package, then make sure that the checksums for the original files and the files that you have downloaded match.
  2. In the Management Client, select Menu > File > Import > Import Update Packages.
  3. Browse to the file, select it, then click Import.
  4. Select  Configuration, then browse to Administration > Other Elements > Updates.
  5. Right-click the imported dynamic update package, then select Activate.
  6. When the activation is finished, refresh the policy on all NGFW Engines. If your policy uses a custom template, you might need to edit the policy.

DISCLAIMER AND COPYRIGHT

Copyright © 2023 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.