Release notes for update package 1802-5242

This update package improves the detection capabilities of the Forcepoint NGFW system.

RELEASE DATE:    Thursday November 21, 2024
MD5 CHECKSUM:    2ed19529e622874293d2894656c2ca27
SHA1 CHECKSUM:    a9704bfb4a9a33051bfd3209324b6984ee582d8a
SHA256 CHECKSUM:    66206dafaa3ee376e6604630baefbe072f0347074ded4cda2db86c14ccc56b43


UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Forcepoint NGFW Security Management Center:    6.10.1.11125
- Forcepoint NGFW:    6.8.1.24103

List of detected attacks in this update package:

Risk levelDescriptionReferenceVulnerability
High     An attempt to exploit a vulnerability in Pyload detected     CVE-2024-39205     pyLoad-RCE-With-js2py-Sandbox-Escape
High     An attempt to exploit a vulnerability in a Palo Alto appliance     CVE-2024-9474     Palo-Alto-SSLVPN-Command-Execution-CVE-2024-9474
High     An attempt to exploit a vulnerability in a Palo Alto appliance     CVE-2024-0012     Palo-Alto-SSLVPN-Authentication-Bypass
High     A malicious internet shortcut file was detected     No CVE/CAN Malicious-Internet-Shortcut-File
Low     A possibly malicious internet shortcut file was detected     No CVE/CAN Malicious-Internet-Shortcut-File
Low     A possibly malicious internet shortcut file was detected     No CVE/CAN Malicious-Internet-Shortcut-File

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High pyLoad-RCE-With-js2py-Sandbox-Escape CVE-2024-39205 HTTP_CS-pyLoad-RCE-With-js2py-Sandbox-Escape Suspected Compromise

HTTP Request Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Palo-Alto-SSLVPN-Authentication-Bypass CVE-2024-0012 HTTP_CSH-Palo-Alto-SSLVPN-Authentication-Bypass Suspected Compromise

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Palo-Alto-SSLVPN-Command-Execution-CVE-2024-9474 CVE-2024-9474 HTTP_CRL-Palo-Alto-SSLVPN-Command-Execution-CVE-2024-9474 Suspected Compromise

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
Low Malicious-Internet-Shortcut-File No CVE/CAN File-Text_Possibly-Malicious-Internet-Shortcut-File Other Suspicious Traffic

Identified Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Malicious-Internet-Shortcut-File No CVE/CAN File-TextId_Malicious-Internet-Shortcut-File Spyware, Malware and Adware
Low Malicious-Internet-Shortcut-File No CVE/CAN File-TextId_Possibly-Malicious-Internet-Shortcut-File Other Suspicious Traffic

Updated detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Quest-NetVault-Backup-Multipart-Request-Part-Header-Stack-Buffer-Overflow CVE-2018-1161 HTTP_CS-Quest-NetVault-Backup-Multipart-Request-Part-Header-Stack-Buffer-Overflow Potential Compromise
Category tag situation Potential Compromise added
Category tag situation Suspected Compromise removed
Fingerprint regexp changed

TCP Client Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Ivanti-Avalanche-Wlavalancheservice.exe-Type-101-102-Null-Pointer-Dereference CVE-2024-47007 Generic_CS-Ivanti-Avalanche-Wlavalancheservice.exe-Type-101-102-Null-Pointer-Dereference Suspected Compromise
Description has changed

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Junos-OS-J-Web-Arbitrary-File-Upload-CVE-2023-36846 CVE-2023-36846 HTTP_CRL-Junos-OS-J-Web-Arbitrary-File-Upload-PHP-External-Variable-Modification Suspected Compromise
Name: HTTP_CRL-Junos-OS-J-Web-Arbitrary-File-Upload-CVE-2023-36846->HTTP_CRL-Junos-OS-J-Web-Arbitrary-File-Upload-PHP-External-Variable-Modification
Description has changed

SMB Client Header Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Windows-SMB-Denial-Of-Service-Vulnerability-CVE-2024-43642 CVE-2024-43642 SMB-TCP_CHS-Windows-SMB-Denial-Of-Service-Vulnerability-CVE-2024-43642 Potential Compromise
Detection mechanism updated

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Malicious-Internet-Shortcut-File No CVE/CAN File-Text_Malicious-Internet-Shortcut-File Spyware, Malware and Adware
Comment has changed
Fingerprint regexp changed

LIST OF OTHER CHANGES:

New objects:

TypeName
CategoryPalo Alto SSLVPN Appliance

Updated objects:

TypeNameChanges
SituationFile_Malware-MD5
Detection mechanism updated
IPListSomalia
IPListYemen
IPListIraq
IPListSaudi Arabia
IPListIran
IPListCyprus
IPListTanzania
IPListArmenia
IPListKenya
IPListUganda
IPListSeychelles
IPListJordan
IPListLebanon
IPListOman
IPListQatar
IPListBahrain
IPListUnited Arab Emirates
IPListIsrael
IPListTürkiye
IPListEgypt
IPListGreece
IPListBurundi
IPListEstonia
IPListLatvia
IPListAzerbaijan
IPListLithuania
IPListMoldova
IPListBelarus
IPListFinland
IPListUkraine
IPListNorth Macedonia
IPListHungary
IPListBulgaria
IPListAlbania
IPListPoland
IPListRomania
IPListZimbabwe
IPListMauritius
IPListEswatini
IPListRéunion
IPListSouth Africa
IPListMayotte
IPListAfghanistan
IPListPakistan
IPListBangladesh
IPListSri Lanka
IPListIndia
IPListMaldives
IPListNepal
IPListMyanmar
IPListUzbekistan
IPListKazakhstan
IPListKyrgyzstan
IPListVietnam
IPListThailand
IPListIndonesia
IPListTaiwan
IPListPhilippines
IPListMalaysia
IPListChina
IPListHong Kong
IPListBrunei
IPListMacao
IPListSouth Korea
IPListJapan
IPListSingapore
IPListRussia
IPListMongolia
IPListAustralia
IPListChristmas Island
IPListPapua New Guinea
IPListVanuatu
IPListNew Zealand
IPListFiji
IPListLibya
IPListCameroon
IPListSenegal
IPListPortugal
IPListIvory Coast
IPListNigeria
IPListSierra Leone
IPListNiger
IPListSpain
IPListMorocco
IPListDenmark
IPListUnited Kingdom
IPListSwitzerland
IPListSweden
IPListThe Netherlands
IPListAustria
IPListBelgium
IPListGermany
IPListLuxembourg
IPListIreland
IPListFrance
IPListAndorra
IPListJersey
IPListGuernsey
IPListSlovakia
IPListCzechia
IPListNorway
IPListVatican City
IPListItaly
IPListSlovenia
IPListMontenegro
IPListCroatia
IPListBosnia and Herzegovina
IPListBarbados
IPListFrench Guiana
IPListParaguay
IPListBrazil
IPListJamaica
IPListDominican Republic
IPListMartinique
IPListBahamas
IPListAnguilla
IPListTrinidad and Tobago
IPListAntigua and Barbuda
IPListTurks and Caicos Islands
IPListAruba
IPListSaint Martin
IPListGuadeloupe
IPListBelize
IPListEl Salvador
IPListGuatemala
IPListHonduras
IPListCosta Rica
IPListVenezuela
IPListColombia
IPListArgentina
IPListChile
IPListPeru
IPListMexico
IPListNorthern Mariana Islands
IPListGuam
IPListPuerto Rico
IPListU.S. Virgin Islands
IPListAmerican Samoa
IPListCanada
IPListUnited States
IPListSerbia
IPListAntarctica
IPListTOR exit nodes IP Address List
IPListAmazon AMAZON
IPListAmazon EC2
IPListAkamai Servers
IPListMicrosoft Azure datacenter for australiaeast
IPListTOR relay nodes IP Address List
IPListMicrosoft Azure datacenter for centralindia
IPListMicrosoft Azure datacenter for eastus2euap
IPListMicrosoft Azure datacenter for eastus2
IPListMicrosoft Azure datacenter for eastus
IPListMicrosoft Azure datacenter for southeastasia
IPListMicrosoft Azure datacenter for westeurope
IPListMicrosoft Azure datacenter for westus2
IPListMicrosoft Azure datacenter
IPListBotnet IP Address List
IPListMalicious Site IP Address List
IPListMicrosoft Azure datacenter for malaysiasouth
IPListNordVPN Servers IP Address List
IPListForcepoint Drop IP Address List
IPListAmazon AMAZON us-gov-west-1
IPListAmazon EC2 us-gov-west-1
IPListMicrosoft Azure datacenter for uaenorth
IPListGitHub Actions IP Address List
IPListMicrosoft Azure service for AzureCloud
IPListMicrosoft Azure service for AzureCosmosDB
IPListAmazon AMAZON ap-southeast-7
IPListMicrosoft Azure service for AzureResourceManager
IPListMicrosoft Azure service for AzureTrafficManager
IPListMicrosoft Azure service for DataFactory
IPListMicrosoft Azure service for DataFactoryManagement
IPListMicrosoft Azure datacenter for italynorth
IPListMicrosoft Azure datacenter for newzealandnorth
IPListMicrosoft Azure datacenter for polandcentral
IPListMicrosoft Azure datacenter for spaincentral
SituationFile-Text_Internet-Shortcut-File-Transfer
Fingerprint regexp changed
SituationHTTP_CRL-Suspicious-Parameter-Value
Fingerprint regexp changed
SituationHTTPS_CS-Apache-Ssl-DoS-With-Plain-HTTP-Request
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os OS X removed
Category tag os Linux removed
Category tag hardware Any Hardware removed
Category tag application Apache removed
Category tag group CVE2004 removed
Category tag os_not_specific OS X not specific removed
Category tag os_not_specific Linux not specific removed
Category tag application_not_specific Apache not specific removed
Category tag situation Potential Denial of Service removed
Category tag group TCP Client Traffic removed
Fingerprint regexp changed
SituationFile-TextId_Internet-Shortcut-File-Transfer
Fingerprint regexp changed
ApplicationWhatsApp
Application Port "udp/3480 tls: no" added
Application Port "udp/3484 tls: no" added
ApplicationOnline-Certificate-Status-Protocol
Application detection context content changed
ApplicationAkamai-Infrastructure
ApplicationTOR
ApplicationManoto
ApplicationCertificate-Revocation-List-Service
Application detection context content changed
ApplicationNordVPN

HOW TO IMPORT AND ACTIVATE THE DYNAMIC UPDATE PACKAGE

  1. Download the dynamic update package, then make sure that the checksums for the original files and the files that you have downloaded match.
  2. In the Management Client, select Menu > File > Import > Import Update Packages.
  3. Browse to the file, select it, then click Import.
  4. Select  Configuration, then browse to Administration > Other Elements > Updates.
  5. Right-click the imported dynamic update package, then select Activate.
  6. When the activation is finished, refresh the policy on all NGFW Engines. If your policy uses a custom template, you might need to edit the policy.

DISCLAIMER AND COPYRIGHT

Copyright © 2024 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.