Release notes for update package 1774-5242

This update package improves the detection capabilities of the Forcepoint NGFW system.

RELEASE DATE:    Monday September 09, 2024
MD5 CHECKSUM:    57f72bf708fdb7ffc2d2fc0eff1d99d6
SHA1 CHECKSUM:    8d9f359a1311813ba9ddeda84ede23361ec3f582
SHA256 CHECKSUM:    0741a3a1bfba018b8d24e19dc0a94448f4be22f48d3c8fffacda5f5a029e03a3


UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Forcepoint NGFW Security Management Center:    6.10.1.11125
- Forcepoint NGFW:    6.8.1.24103

List of detected attacks in this update package:

Risk levelDescriptionReferenceVulnerability
High     An attempt to exploit a vulnerability in Apache OFBiz detected     CVE-2024-45195     Apache-Ofbiz-Unauthenticated-Endpoint-Code-Execution-CVE-2024-45195
High     An attempt to exploit a vulnerability in Progress Software WhatsUp Gold detected     CVE-2024-5016     Progress-WhatsUp-Gold-Onmessage-Insecure-Deserialization-CVE-2024-5016
High     An attempt to exploit a vulnerability in Progress Software WhatsUp Gold detected     CVE-2024-5016     Progress-WhatsUp-Gold-Onmessage-Insecure-Deserialization-CVE-2024-5016
High     An attempt to exploit a vulnerability in pgAdmin detected     CVE-2024-3116     Pgadmin-Binary-Path-API-RCE
High     An attempt to exploit a vulnerability in ThinkPHP detected     CVE-2022-47945     ThinkPHP-Local-File-Inclusion-CVE-2022-47945
High     An attempt to exploit a vulnerability in ThinkPHP detected     CVE-2022-47945     ThinkPHP-Local-File-Inclusion-CVE-2022-47945
High     An attempt to exploit a vulnerability in Microsoft Excel detected     CVE-2018-8382     Microsoft-Excel-Note-Record-Information-Disclosure-CVE-2018-8382
High     An attempt to exploit a vulnerability in Microsoft Excel detected     CVE-2018-8246     Microsoft-Excel-Parsed-Expression-Information-Disclosure-CVE-2018-8246
High     An attempt to exploit a vulnerability in Haihaisoft Universal Player detected     CVE-2009-4219     Haihaisoft-Universal-Player-Stack-Based-Buffer-Overflow
High     A request containing a suspicious JSON object detected     No CVE/CAN Suspicious-JSON-Object-With-Unnecessarily-Escaped-Characters
Low     search-ms or search URI scheme detected     No CVE/CAN MS-Search-URI-Scheme

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High ThinkPHP-Local-File-Inclusion-CVE-2022-47945 CVE-2022-47945 HTTP_CSU-ThinkPHP-Local-File-Inclusion-CVE-2022-47945 Suspected Compromise
High Apache-Ofbiz-Unauthenticated-Endpoint-Code-Execution-CVE-2024-45195 CVE-2024-45195 HTTP_CRL-Potential-Apache-Ofbiz-Unauthenticated-Endpoint-Code-Execution-CVE-2024-45195 Potential Compromise

HTTP Request Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High ThinkPHP-Local-File-Inclusion-CVE-2022-47945 CVE-2022-47945 HTTP_CSH-ThinkPHP-Local-File-Inclusion-CVE-2022-47945 Suspected Compromise

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Pgadmin-Binary-Path-API-RCE CVE-2024-3116 HTTP_CRL-Pgadmin-Binary-Path-API-RCE Suspected Compromise

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
Low MS-Search-URI-Scheme No CVE/CAN File-Text_MS-Search-URI-Scheme-Link-In-HTML Possibly Unwanted Content
High Haihaisoft-Universal-Player-Stack-Based-Buffer-Overflow CVE-2009-4219 File-Text_Haihaisoft-Universal-Player-Stack-Based-Buffer-Overflow Suspected Compromise
High Suspicious-JSON-Object-With-Unnecessarily-Escaped-Characters No CVE/CAN File-Text_Suspicious-JSON-Object-With-Unnecessarily-Escaped-Characters Potential Compromise

OLE File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Microsoft-Excel-Note-Record-Information-Disclosure-CVE-2018-8382 CVE-2018-8382 File-OLE_Microsoft-Excel-Note-Record-Information-Disclosure-CVE-2018-8382 Potential Compromise
High Microsoft-Excel-Parsed-Expression-Information-Disclosure-CVE-2018-8246 CVE-2018-8246 File-OLE_Microsoft-Excel-Parsed-Expression-Information-Disclosure-CVE-2018-8246 Potential Compromise

WebSocket Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Progress-WhatsUp-Gold-Onmessage-Insecure-Deserialization-CVE-2024-5016 CVE-2024-5016 WebSocket_CS-Progress-WhatsUp-Gold-Onmessage-Insecure-Deserialization-CVE-2024-5016 Suspected Compromise

WebSocket Server Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Progress-WhatsUp-Gold-Onmessage-Insecure-Deserialization-CVE-2024-5016 CVE-2024-5016 WebSocket_SS-Progress-WhatsUp-Gold-Onmessage-Insecure-Deserialization-CVE-2024-5016 Suspected Compromise

Updated detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Check-Point-Security-Gateway-Information-Disclosure-CVE-2024-24919 CVE-2024-24919 HTTP_CS-Check-Point-Security-Gateway-Information-Disclosure-CVE-2024-24919 Suspected Compromise
Fingerprint regexp changed
High Sonatype-Nexus-Repository-Manager-Webresourceservice-Directory-Traversal CVE-2024-4956 HTTP_CS-Sonatype-Nexus-Repository-Manager-Webresourceservice-Directory-Traversal Suspected Compromise
Fingerprint regexp changed

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High TP-Link-Local-File-Disclosure-CVE-2015-3035 CVE-2015-3035 HTTP_CSU-TP-Link-Local-File-Disclosure-CVE-2015-3035 Suspected Disclosure
Fingerprint regexp changed
High SysAid-On-Premise-Directory-Traversal-CVE-2023-47246 CVE-2023-47246 HTTP_CSU-SysAid-On-Premise-Directory-Traversal-CVE-2023-47246 Suspected Compromise
Fingerprint regexp changed
High Qlik-Sense-Path-Traversal-CVE-2023-41266 CVE-2023-41266 HTTP_CSU-Qlik-Sense-Path-Traversal-CVE-2023-41266 Suspected Compromise
Fingerprint regexp changed
High LG-LED-Assistant-Upload-Directory-Traversal No CVE/CAN HTTP_CSU-LG-LED-Assistant-Upload-Directory-Traversal Suspected Compromise
Fingerprint regexp changed
High SAP-Netweaver-File-Upload-Vulnerability-CVE-2021-38163 CVE-2021-38163 HTTP_CSU-SAP-Netweaver-File-Upload-Vulnerability-CVE-2021-38163 Suspected Compromise
Fingerprint regexp changed
High Ivanti-Connect-Secure-Authentication-Bypass-CVE-2023-46805 CVE-2023-46805 HTTP_CSU-Ivanti-Connect-Secure-Authentication-Bypass-CVE-2023-46805 Suspected Compromise
Fingerprint regexp changed
High LG-LED-Assistant-Updatefile-Directory-Traversal No CVE/CAN HTTP_CSU-LG-LED-Assistant-Updatefile-Directory-Traversal Suspected Compromise
Fingerprint regexp changed
High JetBrains-TeamCity-Path-Traversal-CVE-2024-27199 CVE-2024-27199 HTTP_CSU-JetBrains-TeamCity-Path-Traversal-CVE-2024-27199 Suspected Compromise
Fingerprint regexp changed
High Aiohttp-Directory-Traversal-CVE-2024-23334 CVE-2024-23334 HTTP_CSU-Aiohttp-Directory-Traversal-CVE-2024-23334 Suspected Compromise
Fingerprint regexp changed
High Treasure-Data-Digdag-Getfile-Directory-Traversal CVE-2024-25125 HTTP_CSU-Treasure-Data-Digdag-Getfile-Directory-Traversal Suspected Compromise
Fingerprint regexp changed
High Apache-Ofbiz-Forgot-Password-Directory-Traversal CVE-2024-32113 HTTP_CSU-Apache-Ofbiz-Forgot-Password-Directory-Traversal Suspected Compromise
Fingerprint regexp changed
High Common-Command-Injection-String No CVE/CAN HTTP_CSU-Common-Command-Injection-String-2 Potential Compromise
Fingerprint regexp changed

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Stagil-Navigation-For-JIRA-Path-Traversal-Vulnerabilities CVE-2023-26255 HTTP_CRL-Stagil-Navigation-For-JIRA-Path-Traversal-Vulnerabilities Suspected Compromise
Fingerprint regexp changed
High Ivanti-Avalanche-Path-Traversal-CVE-2023-41474 CVE-2023-41474 HTTP_CRL-Ivanti-Avalanche-Path-Traversal-CVE-2023-41474 Suspected Compromise
Fingerprint regexp changed
High LG-LED-Assistant-Setthumbnailrc-Directory-Traversal No CVE/CAN HTTP_CRL-LG-LED-Assistant-Setthumbnailrc-Directory-Traversal Suspected Compromise
Fingerprint regexp changed
High Ivanti-Avalanche-Getadhocfilepath-Directory-Traversal CVE-2024-24992 HTTP_CRL-Ivanti-Avalanche-Getadhocfilepath-Directory-Traversal Suspected Compromise
Fingerprint regexp changed
High Nagios-XI-Command_test.php-Command-Injection No CVE/CAN HTTP_CRL-Nagios-XI-Command_test.php-Command-Injection Suspected Compromise
Fingerprint regexp changed

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High MS-Search-URI-Scheme No CVE/CAN File-Text_Suspicious-MS-Search-URI-Scheme-Link-In-HTML Potential Compromise
Fingerprint regexp changed
High Microsoft-VBScript-Scripting-Engine-CVE-2014-6363 CVE-2014-6363 File-Text_Microsoft-VBScript-Scripting-Engine-CVE-2014-6363 Potential Compromise
Detection mechanism updated

LIST OF OTHER CHANGES:

New objects:

TypeName
CategoryHaihaisoft
Certificate AuthorityTunTrust Root CA (1)
Certificate AuthorityvTrus OV SSL CA G2
Certificate AuthorityUCA Global G2 Root (4)
Certificate AuthoritycertSIGN Web CA (1)
Certificate AuthorityCybertrust Global Root (2)
Certificate AuthorityDigiCert Global Root G2 (1)
Certificate AuthorityDigiCert Global Root G2 (2)
Certificate AuthorityDigiCert Basic OV G2 TLS CN RSA4096 SHA256 2022 CA1
Certificate AuthorityDigiCert Secure Site OV G2 TLS CN RSA4096 SHA256 2022 CA1
Certificate AuthorityPerfectSSL
Certificate AuthorityDigiCert G3 TLS EU ECC P-384 SHA384 2022 CA1
Certificate AuthorityMicrosoft Azure ECC TLS Issuing CA 03
Certificate AuthorityMicrosoft Azure ECC TLS Issuing CA 04
Certificate AuthorityDigiCert TLS RSA4096 Root G5 (2)
Certificate AuthorityDigiCert G5 TLS EU RSA4096 SHA384 2022 CA1
Certificate AuthorityAC Defesa GR3 OV TLS CA 2023
Certificate AuthorityGlobalSign Atlas R3 AlphaSSL CA 2024 Q2
Certificate AuthorityGlobalSign Atlas R3 DV TLS CA 2024 Q2
Certificate AuthorityGlobalSign Atlas R3 DV TLS CA 2024 Q3
Certificate AuthorityGlobalSign Atlas R3 OV TLS CA 2024 Q2
Certificate AuthorityGlobalSign Atlas R3 OV TLS CA 2024 Q3
Certificate AuthorityGTS Root R4 (1)
Certificate AuthorityWR1
Certificate AuthorityWR2
Certificate AuthorityWR3
Certificate AuthorityWR4
Certificate AuthorityWE1
Certificate AuthorityAC RAIZ FNMT-RCM (1)
Certificate AuthorityTUBITAK Kamu SM SSL Sertifika Hizmet Saglayicisi - Surum 2
Certificate AuthorityE5
Certificate AuthorityE6
Certificate AuthorityR10
Certificate AuthorityR11
Certificate AuthorityR12
Certificate AuthorityR13
Certificate AuthorityR14
Certificate AuthorityE5 (1)
Certificate AuthorityE6 (1)
Certificate AuthorityE7
Certificate AuthorityE8
Certificate AuthorityE9
Certificate AuthorityMicrosec e-Szigno Root CA 2009 (1)
Certificate AuthorityMicrosec e-Szigno Root CA 2009 (2)
Certificate AuthorityDigiCert QuoVadis 2G3 TLS RSA4096 SHA384 2023 CA1
Certificate AuthoritySSL.com TLS Transit ECC CA R2
Certificate AuthorityEnsured Root CA
Certificate AuthorityFujiSSL ECC Business Secure Site CA
Certificate AuthorityGoGetSSL ECC EV CA
Certificate AuthorityGoGetSSL ECC OV CA
Certificate AuthorityApple Public Server RSA CA 11 - G1
Certificate AuthorityCloudSecure RSA Organization Validation Secure Server CA 2
Certificate AuthorityGeoSSL RSA Domain Validation Secure Server CA
Certificate AuthorityMcAfee RSA Organization Validation Secure Server CA 3
Certificate AuthoritySectigo Qualified Website Authentication CA R35
Certificate AuthorityTI Trust Technologies DV CA
Certificate AuthorityTrustAsia RSA EV TLS CA G3
Certificate AuthorityTrustSign BR RSA DV SSL CA 3
Certificate AuthorityValid Certificadora RSA DV SSL CA
Certificate AuthorityJoySSL DV Secure Server CA G1
Certificate AuthorityKeepTrust DV TLS RSA CA G2
Certificate AuthoritySSL.com EV Root Certification Authority RSA R2 (2)
Certificate AuthorityCloudflare TLS Issuing ECC CA 1
Certificate AuthoritySwissSign RSA SMIME Root CA 2021 - 1
Certificate AuthoritySwissSign RSA SMIME Root CA 2022 - 1
Certificate AuthoritySwissSign RSA TLS Root CA 2021 - 1
Certificate AuthoritySwissSign RSA TLS Root CA 2022 - 1
Certificate AuthorityFIRMAPROFESIONAL CA ROOT-A WEB
SituationAnalyzer_DNS-Any-Queries-Brute-Force
SituationDNS-UDP_Standard-Query-Request-Type-Any
SituationFile-Text_Outdated-Browser-Accessing-ActiveX-Object-In-HTML

Updated objects:

TypeNameChanges
Certificate AuthoritySSL Blindado EV 2
Marked for removal
IPListForcepoint Drop IP Address List
SituationDNS-UDP_Standard-Query-Request-Type-KEY
Fingerprint regexp changed
SituationHTTP_CSU-Shared-Variables
SituationHTTP_CRL-Suspicious-Parameter-Value
Fingerprint regexp changed
SituationHTTP_CSH-Directory-Traversal-In-Cookie-Header
Fingerprint regexp changed
SituationFile-Text_Shared-Variables
Fingerprint regexp changed
SituationFile-Text_ActiveX-Shared-Variables

HOW TO IMPORT AND ACTIVATE THE DYNAMIC UPDATE PACKAGE

  1. Download the dynamic update package, then make sure that the checksums for the original files and the files that you have downloaded match.
  2. In the Management Client, select Menu > File > Import > Import Update Packages.
  3. Browse to the file, select it, then click Import.
  4. Select  Configuration, then browse to Administration > Other Elements > Updates.
  5. Right-click the imported dynamic update package, then select Activate.
  6. When the activation is finished, refresh the policy on all NGFW Engines. If your policy uses a custom template, you might need to edit the policy.

DISCLAIMER AND COPYRIGHT

Copyright © 2024 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.