Release notes for update package 1772-5242

This update package improves the detection capabilities of the Forcepoint NGFW system.

RELEASE DATE:	Thursday September 05, 2024
MD5 CHECKSUM:	cd12d9bef1001e292a770f403f17a454
SHA1 CHECKSUM:	43333d1851695489b9ac0ae9f94f07207920d400
SHA256 CHECKSUM:	3560598283c59525641536ae61e7ea0d49a3cc9183569df1a10dcdfb62d0b2a3

UPDATE CRITICALITY: HIGH

MINIMUM SOFTWARE VERSIONS

- Forcepoint NGFW Security Management Center:	6.10.1.11125
- Forcepoint NGFW:	6.8.1.24103

List of detected attacks in this update package:

Risk level	Description	Reference	Vulnerability
High	An attempt to exploit a vulnerability in Ivanti Avalanche detected	CVE-2024-38652	Ivanti-Avalanche-Remote-Control-Server-Deleteskin-Directory-Traversal
High	An attempt to exploit a vulnerability in AVTECH IP camera AVM1203 detected	CVE-2024-7029	Avtech-IP-Camera-AVM1203-Command-Injection-CVE-2024-7029
High	An attempt to exploit a vulnerability in National Instruments FlexLogger detected	CVE-2024-4044	NI-Flexlogger-Flxproj-File-Parsedatavalueasxmlhierarchy-Insecure-Deserialization
High	An attempt to exploit a vulnerability in GitLab detected	CVE-2023-6502	Gitlab-Gollum-Link-Regex-Denial-Of-Service
High	An attempt to exploit a vulnerability in an AXIS device detected	CVE-2013-3543	Axis-Media-Control-Unsafe-ActiveX-Method
High	An attempt to exploit a vulnerability in Microsoft XML Core Services detected	CVE-2006-5745	HTTP-Microsoft-Xml-Core-Services-ActiveX-Control-Code-Exectution
High	An attempt to exploit a vulnerability in AVTECH IP camera firmware detected	No CVE/CAN	Avtech-IP-Camera-Multiple-Command-Injection-Vulnerabilities
High	ARMBot Botnet traffic has been detected	No CVE/CAN	ARMBot-Botnet
High	A possible attempt to exploit a vulnerability in multiple versions of the AVTECH IP camera firmware	No CVE/CAN	Avtech-IP-Camera-Cgi-Bin-Nobody-Access
High	Lumma Stealer command-and-control traffic detected	No CVE/CAN	Lumma-Stealer-C2-Activity

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Request URI

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	Lumma-Stealer-C2-Activity	No CVE/CAN	HTTP_CSU-Lumma-Stealer-C2-Activity	Spyware, Malware and Adware
High	Avtech-IP-Camera-Cgi-Bin-Nobody-Access	No CVE/CAN	HTTP_CSU-Avtech-IP-Camera-Cgi-Bin-Nobody-Access	Potential Compromise

HTTP Normalized Request-Line

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	Ivanti-Avalanche-Remote-Control-Server-Deleteskin-Directory-Traversal	CVE-2024-38652	HTTP_CRL-Ivanti-Avalanche-Remote-Control-Server-Deleteskin-Directory-Traversal	Suspected Compromise
High	ARMBot-Botnet	No CVE/CAN	HTTP_CRL-ARMBot-Botnet	Suspected Compromise
High	Gitlab-Gollum-Link-Regex-Denial-Of-Service	CVE-2023-6502	HTTP_CRL-Gitlab-Gollum-Link-Regex-Denial-Of-Service	Suspected Compromise
High	Avtech-IP-Camera-AVM1203-Command-Injection-CVE-2024-7029	CVE-2024-7029	HTTP_CRL-Avtech-IP-Camera-AVM1203-Command-Injection-CVE-2024-7029	Suspected Compromise
High	Avtech-IP-Camera-Multiple-Command-Injection-Vulnerabilities	No CVE/CAN	HTTP_CRL-Avtech-IP-Camera-Multiple-Command-Injection-Vulnerabilities	Suspected Compromise

Text File Stream

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	HTTP-Microsoft-Xml-Core-Services-ActiveX-Control-Code-Exectution	CVE-2006-5745	File-Text_Microsoft-Xml-Core-Services-ActiveX-Control-Code-Execution-With-Open	Suspected Compromise
High	Axis-Media-Control-Unsafe-ActiveX-Method	CVE-2013-3543	File-Text_Axis-Media-Control-Unsafe-ActiveX-Method	Suspected Compromise

Identified Text File Stream

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	NI-Flexlogger-Flxproj-File-Parsedatavalueasxmlhierarchy-Insecure-Deserialization	CVE-2024-4044	File-TextId_NI-Flexlogger-Flxproj-File-Parsedatavalueasxmlhierarchy-Insecure-Deserialization	Suspected Compromise

Updated detected attacks:

HTTP Normalized Request-Line

Risk

Vulnerability/Situation

References

Related Fingerprint

Situation Type

Change Description

High

QNAP-Multiple-Products-Privwizard-Username-Command-Injection

CVE-2024-32766

HTTP_CRL-QNAP-Multiple-Products-Privwizard-Username-Command-Injection

Suspected Compromise

Fingerprint regexp changed

PNG File Stream

Risk

Vulnerability/Situation

References

Related Fingerprint

Situation Type

Change Description

High

Adobe-Products-PNG-File-Handling-Stack-Buffer-Overflow

CVE-2007-2365

File-PNG_Adobe-Products-PNG-File-Handling-Stack-Buffer-Overflow

Suspected Compromise

Category tag situation Suspected Compromise added

Category tag situation Potential Compromise removed

Fingerprint regexp changed

LIST OF OTHER CHANGES:

New objects:

Type	Name
Category	National Instruments FlexLogger
Category	National Instruments InstrumentStudio
Category	Shutter
Category	Lumma Stealer
Category	AVTECH IP camera AVM1203
Category	AVTECH IP camera
IPList	Google Cloud IP Address List for northamerica-south1
Situation	File-Name_File-Name-Beginning-With-Possible-Command-Injection-Characters

Updated objects:

Type

Name

Changes

Situation

URL_List-DNS-Over-HTTPS

Detection mechanism updated

IPList

Rwanda

IPList

Iraq

IPList

Saudi Arabia

IPList

Iran

IPList

Cyprus

IPList

Armenia

IPList

Kenya

IPList

Central African Republic

IPList

Seychelles

IPList

Jordan

IPList

Lebanon

IPList

Oman

IPList

Qatar

IPList

Bahrain

IPList

United Arab Emirates

IPList

Israel

IPList

Türkiye

IPList

Ethiopia

IPList

Egypt

IPList

Estonia

IPList

Latvia

IPList

Azerbaijan

IPList

Lithuania

IPList

Georgia

IPList

Moldova

IPList

Belarus

IPList

Finland

IPList

Åland Islands

IPList

Ukraine

IPList

Hungary

IPList

Bulgaria

IPList

Albania

IPList

Poland

IPList

Romania

IPList

Zimbabwe

IPList

Mauritius

IPList

South Africa

IPList

Afghanistan

IPList

Pakistan

IPList

Bangladesh

IPList

Tajikistan

IPList

Bhutan

IPList

India

IPList

Myanmar

IPList

Uzbekistan

IPList

Kazakhstan

IPList

Vietnam

IPList

Thailand

IPList

Indonesia

IPList

Taiwan

IPList

Philippines

IPList

Malaysia

IPList

China

IPList

Hong Kong

IPList

Macao

IPList

South Korea

IPList

Japan

IPList

North Korea

IPList

Singapore

IPList

Russia

IPList

Australia

IPList

New Zealand

IPList

Portugal

IPList

Liberia

IPList

Ghana

IPList

Nigeria

IPList

Togo

IPList

Gibraltar

IPList

Chad

IPList

Tunisia

IPList

Spain

IPList

Morocco

IPList

Denmark

IPList

United Kingdom

IPList

Switzerland

IPList

Sweden

IPList

The Netherlands

IPList

Austria

IPList

Belgium

IPList

Germany

IPList

Luxembourg

IPList

Ireland

IPList

France

IPList

Isle of Man

IPList

Slovakia

IPList

Czechia

IPList

Norway

IPList

Italy

IPList

Montenegro

IPList

Croatia

IPList

Bouvet Island

IPList

Uruguay

IPList

Brazil

IPList

Jamaica

IPList

Dominican Republic

IPList

Cuba

IPList

Bahamas

IPList

Bermuda

IPList

Trinidad and Tobago

IPList

Saint Lucia

IPList

Turks and Caicos Islands

IPList

Aruba

IPList

British Virgin Islands

IPList

Cayman Islands

IPList

Belize

IPList

Guatemala

IPList

Honduras

IPList

Costa Rica

IPList

Venezuela

IPList

Ecuador

IPList

Colombia

IPList

Argentina

IPList

Chile

IPList

Peru

IPList

Mexico

IPList

Guam

IPList

Puerto Rico

IPList

U.S. Virgin Islands

IPList

Canada

IPList

United States

IPList

Serbia

IPList

Antarctica

IPList

TOR exit nodes IP Address List

IPList

Amazon AMAZON

IPList

Amazon EC2

IPList

TOR relay nodes IP Address List

IPList

Zscaler IP Address List

IPList

Amazon AMAZON ap-northeast-1

IPList

Botnet IP Address List

IPList

Malicious Site IP Address List

IPList

Amazon AMAZON ap-south-1

IPList

Amazon AMAZON ap-southeast-1

IPList

NordVPN Servers IP Address List

IPList

Amazon AMAZON ap-southeast-2

IPList

Amazon AMAZON us-east-1

IPList

Amazon EC2 us-east-1

IPList

Forcepoint Drop IP Address List

Situation

HTTP_CRL-Shared-Variables

Application

Kaspersky-AV

Category tag application_group Application Routing added

Application

WeChat

Category tag application_group Application Routing added

Application

AnyDesk

Category tag application_group Application Routing added

Application

TOR

Application

DNS-Over-HTTPS

Application

ProtonVPN

Category tag application_group Application Routing added

Application

Webex-Teams

Category tag application_group Application Routing added

Application

NordVPN

Application

LinkedIn-Learning

HOW TO IMPORT AND ACTIVATE THE DYNAMIC UPDATE PACKAGE

Download the dynamic update package, then make sure that the checksums for the original files and the files that you have downloaded match.
In the Management Client, select Menu > File > Import > Import Update Packages.
Browse to the file, select it, then click Import.
Select Configuration, then browse to Administration > Other Elements > Updates.
Right-click the imported dynamic update package, then select Activate.
When the activation is finished, refresh the policy on all NGFW Engines. If your policy uses a custom template, you might need to edit the policy.

DISCLAIMER AND COPYRIGHT

Copyright © 2024 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.