Release notes for update package 1729-5242

This update package improves the detection capabilities of the Forcepoint NGFW system.

RELEASE DATE:    Thursday May 23, 2024
MD5 CHECKSUM:    b12519ecf4c12d30059c99271398007f
SHA1 CHECKSUM:    61416c4a839125ba83849ef77d86b9333ed730b9
SHA256 CHECKSUM:    9c51f28293635cf0e249656503d700d8b7494ab2432027333f0eeec96e56cf69


UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Forcepoint NGFW Security Management Center:    6.10.1.11125
- Forcepoint NGFW:    6.8.1.24103

List of detected attacks in this update package:

Risk levelDescriptionReferenceVulnerability
High     An attempt to exploit a vulnerability in WordPress File Manager Advanced Shortcode Plugin detected     CVE-2023-2068     Wordpress-File-Manager-Advanced-Shortcode-RCE
High     An attempt to exploit a vulnerability in PyTorch detected     CVE-2023-43654     PyTorch-Model-Server-Registration-And-Deserialization-RCE
High     An attempt to exploit a vulnerability in Wazuh Wazuh detected     CVE-2023-50260     Wazuh-Wazuh-Host-Deny-Command-Injection
High     An attempt to exploit a vulnerability in D-Link DIR-605 detected     CVE-2021-40655     D-Link-Dir-605-Information-Disclosure-CVE-2021-40655
High     An attempt to exploit a vulnerability in XWiki detected     CVE-2024-31997     Xwiki.org-Xwiki-Uiextension-Wikiuiextensionparameters-Code-Injection
High     An attempt to exploit a vulnerability in Ivanti Avalanche detected     CVE-2024-24992     Ivanti-Avalanche-Getadhocfilepath-Directory-Traversal
High     An attempt to exploit a vulnerability in FXC AE1021PE router firmware detected     CVE-2023-49897     FXC-AE1021PE-Router-Command-Injection-CVE-2023-49897
High     An attempt to exploit a vulnerability in Fluent Bit detected     CVE-2024-4323     Fluent-Bit-Memory-Corruption-CVE-2024-4323
High     Ebury SSH Rootkit backdoor detected     No CVE/CAN Ebury-SSH-Backdoor-Activity
High     Ebury SSH Rootkit backdoor detected     No CVE/CAN Ebury-SSH-Backdoor-Activity

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Wordpress-File-Manager-Advanced-Shortcode-RCE CVE-2023-2068 HTTP_CS-Wordpress-File-Manager-Advanced-Shortcode-RCE Suspected Compromise

SSH TCP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Ebury-SSH-Backdoor-Activity No CVE/CAN SSH_Ebury-SSH-Client-Backdoor-Activity Potential Compromise

TCP Client Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Ebury-SSH-Backdoor-Activity No CVE/CAN Generic_CS-Ebury-SSH-Backdoor-Activity Potential Compromise

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High PyTorch-Model-Server-Registration-And-Deserialization-RCE CVE-2023-43654 HTTP_CSU-PyTorch-Model-Server-Registration-And-Deserialization-RCE Suspected Compromise

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Wazuh-Wazuh-Host-Deny-Command-Injection CVE-2023-50260 HTTP_CRL-Wazuh-Wazuh-Host-Deny-Command-Injection Suspected Compromise
High D-Link-Dir-605-Information-Disclosure-CVE-2021-40655 CVE-2021-40655 HTTP_CRL-D-Link-Dir-605-Information-Disclosure-CVE-2021-40655 Suspected Compromise
High Xwiki.org-Xwiki-Uiextension-Wikiuiextensionparameters-Code-Injection CVE-2024-31997 HTTP_CRL-Xwiki.org-Xwiki-Uiextension-Wikiuiextensionparameters-Code-Injection Suspected Compromise
High Ivanti-Avalanche-Getadhocfilepath-Directory-Traversal CVE-2024-24992 HTTP_CRL-Ivanti-Avalanche-Getadhocfilepath-Directory-Traversal Suspected Compromise
High FXC-AE1021PE-Router-Command-Injection-CVE-2023-49897 CVE-2023-49897 HTTP_CRL-FXC-AE1021PE-Router-Command-Injection-CVE-2023-49897 Suspected Compromise
High Fluent-Bit-Memory-Corruption-CVE-2024-4323 CVE-2024-4323 HTTP_CRL-Fluent-Bit-Memory-Corruption-CVE-2024-4323 Potential Compromise

Updated detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Wordpress-Plugin-Catch-Themes-Demo-Import-RCE CVE-2021-39352 HTTP_CS-Wordpress-Plugin-Catch-Themes-Demo-Import-RCE Suspected Compromise
Fingerprint regexp changed

PDF File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Foxit-Reader-JavaScript-popUpMenu-Use-After-Free CVE-2019-6730 File-PDF_Foxit-Reader-JavaScript-popUpMenu-Use-After-Free Suspected Compromise
Detection mechanism updated

LIST OF OTHER CHANGES:

New objects:

TypeName
CategoryFluent Bit
CategoryWazuh
CategoryWordPress File Manager Advanced Shortcode Plugin
CategoryPyTorch
CategoryFXC AE1021PE

Updated objects:

TypeNameChanges
Certificate AuthorityMicrosoft IT TLS CA 1 int
Marked for removal
Certificate AuthorityMicrosoft IT TLS CA 4 int
Marked for removal
SituationURL_List-DNS-Over-HTTPS
Detection mechanism updated
IPListRwanda
IPListSomalia
IPListYemen
IPListIraq
IPListSaudi Arabia
IPListIran
IPListCyprus
IPListTanzania
IPListSyria
IPListArmenia
IPListKenya
IPListDR Congo
IPListDjibouti
IPListUganda
IPListCentral African Republic
IPListSeychelles
IPListJordan
IPListLebanon
IPListKuwait
IPListOman
IPListQatar
IPListBahrain
IPListUnited Arab Emirates
IPListIsrael
IPListTürkiye
IPListEthiopia
IPListEritrea
IPListEgypt
IPListSudan
IPListGreece
IPListBurundi
IPListEstonia
IPListLatvia
IPListAzerbaijan
IPListLithuania
IPListGeorgia
IPListMoldova
IPListBelarus
IPListFinland
IPListUkraine
IPListHungary
IPListBulgaria
IPListAlbania
IPListPoland
IPListRomania
IPListZimbabwe
IPListZambia
IPListComoros
IPListMalawi
IPListLesotho
IPListBotswana
IPListMauritius
IPListEswatini
IPListRéunion
IPListSouth Africa
IPListMayotte
IPListMozambique
IPListMadagascar
IPListAfghanistan
IPListPakistan
IPListBangladesh
IPListTurkmenistan
IPListTajikistan
IPListSri Lanka
IPListBhutan
IPListIndia
IPListMaldives
IPListNepal
IPListMyanmar
IPListUzbekistan
IPListKazakhstan
IPListKyrgyzstan
IPListCocos (Keeling) Islands
IPListPalau
IPListVietnam
IPListThailand
IPListIndonesia
IPListLaos
IPListTaiwan
IPListPhilippines
IPListMalaysia
IPListChina
IPListHong Kong
IPListBrunei
IPListMacao
IPListCambodia
IPListSouth Korea
IPListJapan
IPListNorth Korea
IPListSingapore
IPListCook Islands
IPListTimor-Leste
IPListRussia
IPListMongolia
IPListAustralia
IPListChristmas Island
IPListMarshall Islands
IPListFederated States of Micronesia
IPListPapua New Guinea
IPListSolomon Islands
IPListTuvalu
IPListNauru
IPListVanuatu
IPListNew Caledonia
IPListNorfolk Island
IPListNew Zealand
IPListFiji
IPListLibya
IPListCameroon
IPListSenegal
IPListCongo Republic
IPListPortugal
IPListLiberia
IPListIvory Coast
IPListGhana
IPListEquatorial Guinea
IPListNigeria
IPListBurkina Faso
IPListTogo
IPListGuinea-Bissau
IPListMauritania
IPListBenin
IPListGabon
IPListSierra Leone
IPListSão Tomé and Príncipe
IPListGambia
IPListGuinea
IPListChad
IPListNiger
IPListMali
IPListWestern Sahara
IPListTunisia
IPListSpain
IPListMorocco
IPListMalta
IPListAlgeria
IPListDenmark
IPListIceland
IPListUnited Kingdom
IPListSwitzerland
IPListSweden
IPListThe Netherlands
IPListAustria
IPListBelgium
IPListGermany
IPListLuxembourg
IPListIreland
IPListFrance
IPListJersey
IPListGuernsey
IPListSlovakia
IPListCzechia
IPListNorway
IPListItaly
IPListSlovenia
IPListMontenegro
IPListCroatia
IPListAngola
IPListNamibia
IPListBarbados
IPListCabo Verde
IPListParaguay
IPListUruguay
IPListBrazil
IPListJamaica
IPListDominican Republic
IPListAnguilla
IPListSt Kitts and Nevis
IPListAntigua and Barbuda
IPListSaint Lucia
IPListTurks and Caicos Islands
IPListAruba
IPListBritish Virgin Islands
IPListSt Vincent and Grenadines
IPListCayman Islands
IPListBelize
IPListEl Salvador
IPListGuatemala
IPListHonduras
IPListNicaragua
IPListCosta Rica
IPListVenezuela
IPListEcuador
IPListColombia
IPListPanama
IPListArgentina
IPListChile
IPListPeru
IPListMexico
IPListFrench Polynesia
IPListPitcairn Islands
IPListKiribati
IPListTokelau
IPListTonga
IPListWallis and Futuna
IPListSamoa
IPListNiue
IPListNorthern Mariana Islands
IPListGuam
IPListPuerto Rico
IPListU.S. Virgin Islands
IPListAmerican Samoa
IPListCanada
IPListUnited States
IPListPalestine
IPListAntarctica
IPListCuraçao
IPListSouth Sudan
IPListTOR exit nodes IP Address List
IPListAmazon AMAZON
IPListAmazon S3
IPListAmazon EC2
IPListTOR relay nodes IP Address List
IPListMicrosoft Azure datacenter for centralus
IPListMicrosoft Azure datacenter for eastus2
IPListMicrosoft Azure datacenter for eastus
IPListMicrosoft Azure datacenter for japaneast
IPListMicrosoft Azure datacenter for northcentralus
IPListMicrosoft Azure datacenter for northeurope
IPListMicrosoft Azure datacenter for southcentralus
IPListMicrosoft Azure datacenter for westcentralus
IPListMicrosoft Azure datacenter for westeurope
IPListMicrosoft Azure datacenter for westus2
IPListMicrosoft Azure datacenter
IPListBotnet IP Address List
IPListMalicious Site IP Address List
IPListMicrosoft Azure datacenter for malaysiasouth
IPListAmazon AMAZON ap-southeast-1
IPListAmazon EC2 ap-southeast-1
IPListNordVPN Servers IP Address List
IPListAmazon AMAZON eu-central-1
IPListMicrosoft Azure service for StorageMover
IPListAmazon AMAZON us-east-1
IPListAmazon S3 us-east-1
IPListAmazon EC2 us-east-1
IPListAmazon AMAZON us-east-2
IPListAmazon EC2 us-east-2
IPListMicrosoft Azure service for AppService
IPListMicrosoft Azure service for AzureCloud
IPListMicrosoft Azure service for GuestAndHybridManagement
IPListMicrosoft Azure datacenter for westus3
IPListMicrosoft Azure datacenter for qatarcentral
IPListMicrosoft Azure datacenter for taiwannorth
SituationHTTP_PSU-Shared-Variables
Fingerprint regexp changed
SituationFile-Text_ProZilla-FTPSearch-Buffer-Overflow
Description has changed
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application ProZilla removed
Category tag group CVE2005 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Potential Compromise removed
Category tag group Severity over 4 Correlation Dependency Group removed
Fingerprint regexp changed
SituationFile-Text_Novell-iPrint-Client-ActiveX-Control-UploadPrinterDriver-BOF
Description has changed
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware Any Hardware removed
Category tag application Novell iPrint Client for Windows removed
Category tag group CVE2008 removed
Category tag os_not_specific Windows not specific removed
Category tag situation Potential Compromise removed
Category tag group Severity over 4 Correlation Dependency Group removed
Fingerprint regexp changed
SituationFile-Text_Mozilla-Products-SVG-Layout-Engine-Index-Parameter-Memory-Corruption
Description has changed
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware Any Hardware removed
Category tag application Mozilla SeaMonkey removed
Category tag application Mozilla Firefox removed
Category tag application Mozilla Thunderbird removed
Category tag group CVE2007 removed
Category tag os_not_specific Windows not specific removed
Category tag situation Potential Compromise removed
Category tag group Severity over 4 Correlation Dependency Group removed
Fingerprint regexp changed
SituationFile-Text_E-Book-Systems-FlipViewer-ActiveX-Control-Buffer-Overflow
Description has changed
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware Any Hardware removed
Category tag application E-Book Systems FlipViewer removed
Category tag group CVE2007 removed
Category tag os_not_specific Windows not specific removed
Category tag situation Potential Compromise removed
Category tag group Severity over 4 Correlation Dependency Group removed
Fingerprint regexp changed
SituationFile-Text_Zenturi-ProgramChecker-sasatl-ActiveX-Control-DebugMsgLog-Method
Description has changed
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware Any Hardware removed
Category tag application Zenturi ProgramChecker removed
Category tag group CVE2007 removed
Category tag os_not_specific Windows not specific removed
Category tag situation Potential Compromise removed
Category tag group Severity over 4 Correlation Dependency Group removed
Fingerprint regexp changed
SituationFile-Text_Microsoft-ATL-Uninitialized-Object
Description has changed
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware Any Hardware removed
Category tag group MS2009-08 removed
Category tag group CVE2009 removed
Category tag os_not_specific Windows not specific removed
Category tag situation Potential Compromise removed
Category tag group Severity over 4 Correlation Dependency Group removed
SituationFile-Text_Novell-Groupwise-Client-Img-Tag-Src-Parameter-Buffer-Overflow
Description has changed
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware Any Hardware removed
Category tag application Novell GroupWise Client removed
Category tag group CVE2007 removed
Category tag os_not_specific Windows not specific removed
Category tag situation Potential Compromise removed
Category tag group Severity over 4 Correlation Dependency Group removed
Fingerprint regexp changed
SituationFile-Text_ActiveX-Shared-Variables
SituationFile-Text_Suspicious-HTML-File
ApplicationOracle-Cloud
Category tag application_usage Infrastructure Services added
Category tag application_usage ERP/CRM removed
ApplicationTOR
ApplicationDNS-Over-HTTPS
ApplicationNordVPN

HOW TO IMPORT AND ACTIVATE THE DYNAMIC UPDATE PACKAGE

  1. Download the dynamic update package, then make sure that the checksums for the original files and the files that you have downloaded match.
  2. In the Management Client, select Menu > File > Import > Import Update Packages.
  3. Browse to the file, select it, then click Import.
  4. Select  Configuration, then browse to Administration > Other Elements > Updates.
  5. Right-click the imported dynamic update package, then select Activate.
  6. When the activation is finished, refresh the policy on all NGFW Engines. If your policy uses a custom template, you might need to edit the policy.

DISCLAIMER AND COPYRIGHT

Copyright © 2024 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.