Release notes for update package 1792-5242

This update package improves the detection capabilities of the Forcepoint NGFW system.

RELEASE DATE:    Thursday October 24, 2024
MD5 CHECKSUM:    8a07924b1434bef82f2d60340ab38e86
SHA1 CHECKSUM:    f15abbae4f05a237cfff674e48c4459b0da12744
SHA256 CHECKSUM:    8b94b141e22b6a6caf5e3b200388ef55b3b50c16159455222ebc2debea31339a


UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Forcepoint NGFW Security Management Center:    6.10.1.11125
- Forcepoint NGFW:    6.8.1.24103

List of detected attacks in this update package:

Risk levelDescriptionReferenceVulnerability
High     An attempt to exploit a vulnerability in LibreNMS LibreNMS detected     CVE-2024-47525     LibreNMS-Alert-Rule-Name-Stored-Cross-Site-Scripting
High     An attempt to exploit a vulnerability in Ivanti Avalanche detected     CVE-2024-38652     Ivanti-Avalanche-Remote-Control-Server-Deleteskin-Directory-Traversal
High     An attempt to exploit a vulnerability in Zoho Corporation ManageEngine OpManager detected     CVE-2024-6748     Zoho-Manageengine-Multiple-Products-URL-Monitoring-SQL-Injection
High     An attempt to exploit a vulnerability in ksmbd detected     CVE-2023-52755     Linux-Kernel-Ksmbd-ACL-Inheritance-Out-Of-Bounds-Write
High     An attempt to exploit a vulnerability in GeoVision LiveX detected     CVE-2009-0865     Geovision-Livex-Directory-Traversal

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Zoho-Manageengine-Multiple-Products-URL-Monitoring-SQL-Injection CVE-2024-6748 HTTP_CS-Zoho-Manageengine-Multiple-Products-URL-Monitoring-SQL-Injection Suspected Compromise

TCP SMB Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Linux-Kernel-Ksmbd-ACL-Inheritance-Out-Of-Bounds-Write CVE-2023-52755 SMB-TCP_Linux-Kernel-Ksmbd-ACL-Inheritance-Out-Of-Bounds-Write Suspected Compromise

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High LibreNMS-Alert-Rule-Name-Stored-Cross-Site-Scripting CVE-2024-47525 HTTP_CRL-LibreNMS-Alert-Rule-Name-Stored-Cross-Site-Scripting Suspected Compromise

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Geovision-Livex-Directory-Traversal CVE-2009-0865 File-Text_Geovision-Livex-Directory-Traversal-Vulnerability Suspected Compromise

ARCserve Backup Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Ivanti-Avalanche-Remote-Control-Server-Deleteskin-Directory-Traversal CVE-2024-38652 ARCserve_CS-Ivanti-Avalanche-Remote-Control-Server-Deleteskin-Directory-Traversal Suspected Compromise

Updated detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High HP-Service-Virtualization-Autopass-License-Server-Directory-Traversal CVE-2013-6221 HTTP_CS-HP-Service-Virtualization-Autopass-License-Server-Directory-Traversal Suspected Compromise
Name: Generic_CS-HP-Service-Virtualization-Autopass-License-Server-Directory-Traversal->HTTP_CS-HP-Service-Virtualization-Autopass-License-Server-Directory-Traversal
Category tag group HTTP Correlation Dependency Group added
Context has changed from TCP Client Stream Unknown to HTTP Client Stream

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Drupal-Core-Form-Rendering-Remote-Code-Execution CVE-2018-7600 HTTP_CRL-Drupal-Core-Form-Rendering-Remote-Code-Execution Suspected Compromise
Fingerprint regexp changed

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Generic-HTTP-Exploit No CVE/CAN File-Text_Suspicious-Text-File Suspected Compromise
Detection mechanism updated

PNG File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High SugarCRM-EmailTemplates-Validation-Vulnerability-CVE-2023-22952 CVE-2023-22952 File-PNG_SugarCRM-EmailTemplates-Validation-Vulnerability-CVE-2023-22952 Suspected Compromise
Name: HTTP_CRL-SugarCRM-EmailTemplates-Validation-Vulnerability-CVE-2023-22952->File-PNG_SugarCRM-EmailTemplates-Validation-Vulnerability-CVE-2023-22952
Description has changed
Attacker: connection_source->packet_source
Victim: connection_destination->packet_destination
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Context has changed from HTTP Normalized Request-Line to PNG File Stream

Identified Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Mozilla-Firefox-Multiple-URI-Handlers-Command-Execution CVE-2007-4041 File-TextId_Mozilla-Firefox-Multiple-URI-Handlers-Command-Execution Potential Compromise
Fingerprint regexp changed
High Roundcube-Webmail-SVG-Animate-Stored-Cross-Site-Scripting CVE-2024-37383 File-TextId_Roundcube-Webmail-SVG-Animate-Stored-Cross-Site-Scripting Suspected Compromise
Fingerprint regexp changed

LIST OF OTHER CHANGES:

New objects:

TypeName
CategoryGeoVision LiveX
IPListGitHub Actions IP Address List
IPListAmazon ROUTE53_HEALTHCHECKS_PUBLISHING ap-southeast-6
IPListGitHub Services IP Address List
SituationHTTP_Client-Decompression-Trailing-Data
SituationHTTP_Server-Decompression-Trailing-Data
SituationHTTP_Client-Decompression-Error-Incomplete-Data
SituationHTTP_Server-Decompression-Error-Incomplete-Data
SituationHTTP_Client-Decompression-Error-No-Data
SituationHTTP_Server-Decompression-Error-No-Data
SituationHTTP2_Client-Decompression-Trailing-Data
SituationHTTP2_Server-Decompression-Trailing-Data
SituationHTTP2_Client-Decompression-Error-Incomplete-Data
SituationHTTP2_Server-Decompression-Error-Incomplete-Data
SituationHTTP2_Client-Decompression-Error-No-Data
SituationHTTP2_Server-Decompression-Error-No-Data

Updated objects:

TypeNameChanges
Certificate AuthorityEntrust Certification Authority - L1K
Marked for removal
Certificate AuthorityGlobalSign Atlas R3 AlphaSSL CA 2022 Q1
Marked for removal
SituationFile_Malware-MD5
Detection mechanism updated
SituationURL_List-DNS-Over-HTTPS
Detection mechanism updated
IPListRwanda
IPListSomalia
IPListYemen
IPListIraq
IPListSaudi Arabia
IPListIran
IPListCyprus
IPListTanzania
IPListSyria
IPListArmenia
IPListKenya
IPListDR Congo
IPListDjibouti
IPListUganda
IPListCentral African Republic
IPListSeychelles
IPListJordan
IPListLebanon
IPListKuwait
IPListOman
IPListQatar
IPListBahrain
IPListUnited Arab Emirates
IPListIsrael
IPListTürkiye
IPListEthiopia
IPListEritrea
IPListEgypt
IPListSudan
IPListGreece
IPListBurundi
IPListEstonia
IPListLatvia
IPListAzerbaijan
IPListLithuania
IPListSvalbard and Jan Mayen
IPListGeorgia
IPListMoldova
IPListBelarus
IPListFinland
IPListÅland Islands
IPListUkraine
IPListNorth Macedonia
IPListHungary
IPListBulgaria
IPListAlbania
IPListPoland
IPListRomania
IPListKosovo
IPListZimbabwe
IPListZambia
IPListComoros
IPListMalawi
IPListLesotho
IPListBotswana
IPListMauritius
IPListEswatini
IPListRéunion
IPListSouth Africa
IPListMayotte
IPListMozambique
IPListMadagascar
IPListAfghanistan
IPListPakistan
IPListBangladesh
IPListTurkmenistan
IPListTajikistan
IPListSri Lanka
IPListBhutan
IPListIndia
IPListMaldives
IPListBritish Indian Ocean Territory
IPListNepal
IPListMyanmar
IPListUzbekistan
IPListKazakhstan
IPListKyrgyzstan
IPListFrench Southern Territories
IPListHeard and McDonald Islands
IPListCocos (Keeling) Islands
IPListPalau
IPListVietnam
IPListThailand
IPListIndonesia
IPListLaos
IPListTaiwan
IPListPhilippines
IPListMalaysia
IPListChina
IPListHong Kong
IPListBrunei
IPListMacao
IPListCambodia
IPListSouth Korea
IPListJapan
IPListNorth Korea
IPListSingapore
IPListCook Islands
IPListTimor-Leste
IPListRussia
IPListMongolia
IPListAustralia
IPListChristmas Island
IPListMarshall Islands
IPListFederated States of Micronesia
IPListPapua New Guinea
IPListSolomon Islands
IPListTuvalu
IPListNauru
IPListVanuatu
IPListNew Caledonia
IPListNorfolk Island
IPListNew Zealand
IPListFiji
IPListLibya
IPListCameroon
IPListSenegal
IPListCongo Republic
IPListPortugal
IPListLiberia
IPListIvory Coast
IPListGhana
IPListEquatorial Guinea
IPListNigeria
IPListBurkina Faso
IPListTogo
IPListGuinea-Bissau
IPListMauritania
IPListBenin
IPListGabon
IPListSierra Leone
IPListSão Tomé and Príncipe
IPListGibraltar
IPListGambia
IPListGuinea
IPListChad
IPListNiger
IPListMali
IPListWestern Sahara
IPListTunisia
IPListSpain
IPListMorocco
IPListMalta
IPListAlgeria
IPListFaroe Islands
IPListDenmark
IPListIceland
IPListUnited Kingdom
IPListSwitzerland
IPListSweden
IPListThe Netherlands
IPListAustria
IPListBelgium
IPListGermany
IPListLuxembourg
IPListIreland
IPListMonaco
IPListFrance
IPListAndorra
IPListLiechtenstein
IPListJersey
IPListIsle of Man
IPListGuernsey
IPListSlovakia
IPListCzechia
IPListNorway
IPListVatican City
IPListSan Marino
IPListItaly
IPListSlovenia
IPListMontenegro
IPListCroatia
IPListBosnia and Herzegovina
IPListAngola
IPListNamibia
IPListSaint Helena
IPListBouvet Island
IPListBarbados
IPListCabo Verde
IPListGuyana
IPListFrench Guiana
IPListSuriname
IPListSaint Pierre and Miquelon
IPListGreenland
IPListParaguay
IPListUruguay
IPListBrazil
IPListFalkland Islands
IPListSouth Georgia and the South Sandwich Islands
IPListJamaica
IPListDominican Republic
IPListCuba
IPListMartinique
IPListBahamas
IPListBermuda
IPListAnguilla
IPListTrinidad and Tobago
IPListSt Kitts and Nevis
IPListDominica
IPListAntigua and Barbuda
IPListSaint Lucia
IPListTurks and Caicos Islands
IPListAruba
IPListBritish Virgin Islands
IPListSt Vincent and Grenadines
IPListMontserrat
IPListSaint Martin
IPListSaint Barthélemy
IPListGuadeloupe
IPListGrenada
IPListCayman Islands
IPListBelize
IPListEl Salvador
IPListGuatemala
IPListHonduras
IPListNicaragua
IPListCosta Rica
IPListVenezuela
IPListEcuador
IPListColombia
IPListPanama
IPListHaiti
IPListArgentina
IPListChile
IPListBolivia
IPListPeru
IPListMexico
IPListFrench Polynesia
IPListPitcairn Islands
IPListKiribati
IPListTokelau
IPListTonga
IPListWallis and Futuna
IPListSamoa
IPListNiue
IPListNorthern Mariana Islands
IPListGuam
IPListPuerto Rico
IPListU.S. Virgin Islands
IPListU.S. Outlying Islands
IPListAmerican Samoa
IPListCanada
IPListUnited States
IPListPalestine
IPListSerbia
IPListAntarctica
IPListSint Maarten
IPListCuraçao
IPListBonaire, Sint Eustatius, and Saba
IPListSouth Sudan
IPListTOR exit nodes IP Address List
IPListAmazon AMAZON
IPListAmazon EC2
IPListGoogle Servers
IPListMicrosoft Azure datacenter for australiaeast
IPListTOR relay nodes IP Address List
IPListMicrosoft Azure datacenter for centralindia
IPListMicrosoft Azure datacenter for centralus
IPListMicrosoft Azure datacenter for eastus2euap
IPListMicrosoft Azure datacenter for eastus
IPListMicrosoft Azure datacenter for centralfrance
IPListMicrosoft Azure datacenter for japaneast
IPListMicrosoft Azure datacenter for japanwest
IPListMicrosoft Azure datacenter for northcentralus
IPListMicrosoft Azure datacenter for northeurope
IPListMicrosoft Azure datacenter for southcentralus
IPListMicrosoft Azure datacenter for southeastasia
IPListMicrosoft Azure datacenter for westeurope
IPListMicrosoft Azure datacenter for westus
IPListMicrosoft Azure service for AzureActiveDirectory
IPListMicrosoft Azure datacenter
IPListAmazon EC2 eu-south-2
IPListMicrosoft Azure service for AzureHealthcareAPIs
IPListOkta IP Address List
IPListBotnet IP Address List
IPListMalicious Site IP Address List
IPListNordVPN Servers IP Address List
IPListMicrosoft Azure service for AzureSpringCloud
IPListMicrosoft Azure service for CognitiveServicesFrontend
IPListZoho Meeting Servers
IPListMicrosoft Azure service for KustoAnalytics
IPListAmazon AMAZON ap-southeast-5
IPListAmazon EC2 ap-southeast-5
IPListAmazon AMAZON eu-west-2
IPListAmazon EC2 eu-west-2
IPListMicrosoft Azure service for AzureMachineLearningInference
IPListAmazon AMAZON me-south-1
IPListAmazon EC2 me-south-1
IPListMicrosoft Azure service for VideoIndexer
IPListAmazon AMAZON us-east-1
IPListAmazon EC2 us-east-1
IPListForcepoint Drop IP Address List
IPListMicrosoft Azure service for Scuba
IPListAmazon AMAZON us-west-2
IPListAmazon EC2 us-west-2
IPListMicrosoft Azure datacenter for germanyn
IPListMicrosoft Azure datacenter for germanywc
IPListMicrosoft Azure datacenter for norwaye
IPListMicrosoft Azure service for ActionGroup
IPListMicrosoft Azure service for ApiManagement
IPListYealink Meeting IP Address List
IPListMicrosoft Azure service for AppConfiguration
IPListMicrosoft Azure service for AppService
IPListMicrosoft Azure service for AppServiceManagement
IPListMicrosoft Azure service for AzureAdvancedThreatProtection
IPListMicrosoft Azure service for AzureArcInfrastructure
IPListMicrosoft Azure service for AzureBackup
IPListMicrosoft Azure service for AzureBotService
IPListMicrosoft Azure service for AzureCloud
IPListMicrosoft Azure service for AzureCognitiveSearch
IPListMicrosoft Azure service for AzureConnectors
IPListMicrosoft Azure service for AzureContainerRegistry
IPListMicrosoft Azure service for AzureCosmosDB
IPListMicrosoft Azure service for AzureDatabricks
IPListMicrosoft Azure service for AzureDataExplorerManagement
IPListMicrosoft Azure service for AzureDevOps
IPListMicrosoft Azure service for AzureDigitalTwins
IPListMicrosoft Azure service for AzureEventGrid
IPListMicrosoft Azure service for AzureKeyVault
IPListMicrosoft Azure service for AzureMachineLearning
IPListMicrosoft Azure service for AzureMonitor
IPListMicrosoft Azure service for AzureMonitor_Core
IPListMicrosoft Azure service for AzurePortal
IPListMicrosoft Azure service for AzureResourceManager
IPListMicrosoft Azure service for AzureSignalR
IPListMicrosoft Azure service for AzureSiteRecovery
IPListMicrosoft Azure service for BatchNodeManagement
IPListMicrosoft Azure service for CognitiveServicesManagement
IPListMicrosoft Azure service for DataFactory
IPListMicrosoft Azure service for DataFactoryManagement
IPListMicrosoft Azure service for EventHub
IPListMicrosoft Azure service for GatewayManager
IPListMicrosoft Azure service for GuestAndHybridManagement
IPListMicrosoft Azure service for HDInsight
IPListMicrosoft Azure service for LogicApps
IPListMicrosoft Azure service for LogicAppsManagement
IPListMicrosoft Azure service for MicrosoftContainerRegistry
IPListMicrosoft Azure service for PowerBI
IPListMicrosoft Azure service for PowerQueryOnline
IPListMicrosoft Azure service for ServiceBus
IPListMicrosoft Azure service for ServiceFabric
IPListMicrosoft Azure service for Sql
IPListMicrosoft Azure service for SqlManagement
IPListMicrosoft Azure service for Storage
IPListMicrosoft Azure service for StorageSyncService
IPListOracle ap-chuncheon-1
IPListMicrosoft Azure service for AzureSecurityCenter
IPListMicrosoft Azure service for AzureAttestation
IPListMicrosoft Azure datacenter for italynorth
IPListOracle ap-sydney-1
IPListMicrosoft Azure service for WindowsAdminCenter
IPListOracle sa-saopaulo-1
IPListOracle us-chicago-1
IPListGoogle Cloud IP Address List for europe-west4
IPListMicrosoft Azure service for AzureSentinel
SituationSMTP_SMTP-Header-Field-Syntax-Error
Category tag situation Obsolete added
Category tag situation Protocol Violations removed
Category tag group Anomalies removed
SituationSMTP_IMF-Too-Long-Base64-Line
Category tag situation Obsolete added
Category tag situation Protocol Violations removed
Category tag group Anomalies removed
SituationSMTP_IMF-Too-Long_Domain-Name
Category tag situation Obsolete added
Category tag situation Protocol Violations removed
Category tag group Anomalies removed
SituationSMTP_IMF-Too-Long-Encoded-Word
Category tag situation Obsolete added
Category tag situation Protocol Violations removed
Category tag group Anomalies removed
SituationSMTP_IMF-Too-Long-Folding-Whitespace
Category tag situation Obsolete added
Category tag situation Protocol Violations removed
Category tag group Anomalies removed
SituationSMTP_IMF-Too-Long-Header-Field-Name
Category tag situation Obsolete added
Category tag situation Protocol Violations removed
Category tag group Anomalies removed
SituationSMTP_IMF-Too-Long-Header-Line
Category tag situation Obsolete added
Category tag situation Protocol Violations removed
Category tag group Anomalies removed
SituationSMTP_IMF-Too-Long-Line
Category tag situation Obsolete added
Category tag situation Protocol Violations removed
Category tag group Anomalies removed
SituationSMTP_IMF-Too-Long-Quoted-Printable-Line
Category tag situation Obsolete added
Category tag situation Protocol Violations removed
Category tag group Anomalies removed
SituationSMTP_IMF-Too-Long-Quoted-String
Category tag situation Obsolete added
Category tag situation Protocol Violations removed
Category tag group Anomalies removed
SituationSMTP_IMF-Too-Long-Whitespace
Category tag situation Obsolete added
Category tag situation Protocol Violations removed
Category tag group Anomalies removed
SituationHTTP_PSU-Shared-Variables
Fingerprint regexp changed
ApplicationTOR
ApplicationDNS-Over-HTTPS
ApplicationNordVPN
ApplicationZoho-Meeting-App
ApplicationYealink

HOW TO IMPORT AND ACTIVATE THE DYNAMIC UPDATE PACKAGE

  1. Download the dynamic update package, then make sure that the checksums for the original files and the files that you have downloaded match.
  2. In the Management Client, select Menu > File > Import > Import Update Packages.
  3. Browse to the file, select it, then click Import.
  4. Select  Configuration, then browse to Administration > Other Elements > Updates.
  5. Right-click the imported dynamic update package, then select Activate.
  6. When the activation is finished, refresh the policy on all NGFW Engines. If your policy uses a custom template, you might need to edit the policy.

DISCLAIMER AND COPYRIGHT

Copyright © 2024 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.