Release notes for update package 1815-5242

This update package improves the detection capabilities of the Forcepoint NGFW system.

RELEASE DATE:    Monday December 23, 2024
MD5 CHECKSUM:    4646ace52d03fa9cd277928b06ccc149
SHA1 CHECKSUM:    67007b21d725eca5c18eab216af545a76a77e55b
SHA256 CHECKSUM:    cdf1df573185df8a68d84dd841af098ed7d982282deec6deb67d44fb01ef69ab


UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Forcepoint NGFW Security Management Center:    6.10.1.11125
- Forcepoint NGFW:    6.8.1.24103

List of detected attacks in this update package:

Risk levelDescriptionReferenceVulnerability
High     An attempt to exploit a vulnerability in Jenkins Simple Queue Plugin     CVE-2024-54003     Jenkins-Simple-Queue-Plugin-Stored-Cross-Site-Scripting
High     An attempt to exploit a vulnerability in Fortinet FortiOS detected     CVE-2024-23113     Fortinet-FortiOS-Format-String-CVE-2024-23113
High     An attempt to exploit a vulnerability in Clinic's Patient Management System     CVE-2022-40471     Clinics-Patient-Management-System-PHP-File-Upload
High     An attempt to exploit a vulnerability in D-Link detected     CVE-2020-25078     D-Link-DCS-2530L-DCS-2670L-Password-Disclosure-CVE-2020-25078
High     An attempt to exploit a vulnerability in RichFaces framework detected     CVE-2018-14667     RichFaces-Framework-Expression-Language-Injection-CVE-2018-14667
High     An attempt to exploit a vulnerability in TBK DVR4104 and DVR4216 detected     CVE-2018-9995     TBK-DVR4104-And-DVR4216-Authentication-Bypass-CVE-2018-9995
High     An attempt to install malware via fake CAPTCHA detected     No CVE/CAN Information-Stealer-Using-Fake-Captcha
High     HiatusRAT malware activity detected     No CVE/CAN HiatusRAT-Malware-C2-Traffic
Low     RichFaces framework DATA URL segment followed by compressed content     CVE-2018-14667     RichFaces-Framework-Expression-Language-Injection-CVE-2018-14667

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Clinics-Patient-Management-System-PHP-File-Upload CVE-2022-40471 HTTP_CS-Clinics-Patient-Management-System-PHP-File-Upload Potential Compromise

TCP Client Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Fortinet-FortiOS-Format-String-CVE-2024-23113 CVE-2024-23113 Generic_CS-Fortinet-FortiOS-Format-String-CVE-2024-23113 Suspected Compromise

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High D-Link-DCS-2530L-DCS-2670L-Password-Disclosure-CVE-2020-25078 CVE-2020-25078 HTTP_CSU-D-Link-DCS-2530L-DCS-2670L-Password-Disclosure-CVE-2020-25078 Potential Compromise
Low RichFaces-Framework-Expression-Language-Injection-CVE-2018-14667 CVE-2018-14667 HTTP_CSU-RichFaces-Framework-DATA-URL-Segment-With-Compressed-Content Possibly Unwanted Content
High RichFaces-Framework-Expression-Language-Injection-CVE-2018-14667 CVE-2018-14667 HTTP_CSU-RichFaces-Framework-Expression-Language-Injection-Known-Payload Suspected Compromise
High HiatusRAT-Malware-C2-Traffic No CVE/CAN HTTP_CSU-HiatusRAT-Malware-C2-Traffic Suspected Compromise

HTTP Request Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High TBK-DVR4104-And-DVR4216-Authentication-Bypass-CVE-2018-9995 CVE-2018-9995 HTTP_CSH-TBK-DVR4104-And-DVR4216-Authentication-Bypass-CVE-2018-9995 Suspected Compromise

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Jenkins-Simple-Queue-Plugin-Stored-Cross-Site-Scripting CVE-2024-54003 HTTP_CRL-Jenkins-Simple-Queue-Plugin-Stored-Cross-Site-Scripting Suspected Compromise

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Information-Stealer-Using-Fake-Captcha No CVE/CAN File-Text_Information-Stealer-Using-Fake-Captcha Potential Compromise

Updated detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Apache-Struts-File-Upload-Vulnerability-CVE-2023-50164 CVE-2023-50164 HTTP_CS-Apache-Struts-File-Upload-Vulnerability-CVE-2023-50164 Suspected Compromise
Fingerprint regexp changed

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Nuuo-NVRmini-Upgrade_handle.php-Remote-Command-Execution CVE-2018-14933 HTTP_CRL-Nuuo-NVRmini-Upgrade_handle.php-Remote-Command-Execution Suspected Compromise
Fingerprint regexp changed

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Suspicious-Jsp-File-Upload No CVE/CAN File-Text_Suspicious-Jsp-File-Content-Upload Suspected Compromise
Fingerprint regexp changed
High Microsoft_Office_Directory_Traversal_Vulnerability_CVE-2019-0801 CVE-2019-0801 File-Text_Microsoft_Office_Directory_Traversal_Vulnerability_CVE-2019-0801 Suspected Compromise
Detection mechanism updated

LIST OF OTHER CHANGES:

New objects:

TypeName
CategoryClinic's Patient Management System
CategoryTBK DVR
CategoryHiatusRAT
CategoryRichFaces framework
ApplicationTemu

Updated objects:

TypeNameChanges
Certificate AuthorityvTrus DV SSL CA G1
Marked for removal
Certificate AuthorityvTrus OV SSL CA G1
Marked for removal
SituationURL_List-DNS-Over-HTTPS
Detection mechanism updated
IPListRwanda
IPListSomalia
IPListYemen
IPListIraq
IPListSaudi Arabia
IPListIran
IPListCyprus
IPListTanzania
IPListSyria
IPListArmenia
IPListKenya
IPListDR Congo
IPListDjibouti
IPListUganda
IPListCentral African Republic
IPListSeychelles
IPListJordan
IPListLebanon
IPListKuwait
IPListOman
IPListQatar
IPListBahrain
IPListUnited Arab Emirates
IPListIsrael
IPListTürkiye
IPListEthiopia
IPListEritrea
IPListEgypt
IPListSudan
IPListGreece
IPListBurundi
IPListEstonia
IPListLatvia
IPListAzerbaijan
IPListLithuania
IPListSvalbard and Jan Mayen
IPListGeorgia
IPListMoldova
IPListBelarus
IPListFinland
IPListUkraine
IPListNorth Macedonia
IPListHungary
IPListBulgaria
IPListAlbania
IPListPoland
IPListRomania
IPListZimbabwe
IPListZambia
IPListComoros
IPListMalawi
IPListLesotho
IPListBotswana
IPListMauritius
IPListSouth Africa
IPListMozambique
IPListMadagascar
IPListAfghanistan
IPListPakistan
IPListBangladesh
IPListTurkmenistan
IPListTajikistan
IPListSri Lanka
IPListBhutan
IPListIndia
IPListMaldives
IPListNepal
IPListMyanmar
IPListUzbekistan
IPListKazakhstan
IPListKyrgyzstan
IPListVietnam
IPListThailand
IPListIndonesia
IPListLaos
IPListTaiwan
IPListPhilippines
IPListMalaysia
IPListChina
IPListHong Kong
IPListCambodia
IPListSouth Korea
IPListJapan
IPListNorth Korea
IPListSingapore
IPListTimor-Leste
IPListRussia
IPListMongolia
IPListAustralia
IPListPapua New Guinea
IPListSolomon Islands
IPListNorfolk Island
IPListNew Zealand
IPListLibya
IPListCameroon
IPListSenegal
IPListCongo Republic
IPListPortugal
IPListLiberia
IPListIvory Coast
IPListGhana
IPListEquatorial Guinea
IPListNigeria
IPListBurkina Faso
IPListTogo
IPListGuinea-Bissau
IPListMauritania
IPListBenin
IPListGabon
IPListSierra Leone
IPListGambia
IPListGuinea
IPListMali
IPListTunisia
IPListSpain
IPListMorocco
IPListMalta
IPListAlgeria
IPListDenmark
IPListIceland
IPListUnited Kingdom
IPListSwitzerland
IPListSweden
IPListThe Netherlands
IPListAustria
IPListBelgium
IPListGermany
IPListLuxembourg
IPListIreland
IPListMonaco
IPListFrance
IPListAndorra
IPListLiechtenstein
IPListJersey
IPListIsle of Man
IPListGuernsey
IPListSlovakia
IPListCzechia
IPListNorway
IPListSan Marino
IPListItaly
IPListSlovenia
IPListMontenegro
IPListCroatia
IPListBosnia and Herzegovina
IPListAngola
IPListSaint Helena
IPListCabo Verde
IPListSuriname
IPListParaguay
IPListBrazil
IPListJamaica
IPListDominican Republic
IPListCuba
IPListBahamas
IPListTrinidad and Tobago
IPListAruba
IPListBritish Virgin Islands
IPListSaint Martin
IPListSaint Barthélemy
IPListGuadeloupe
IPListCayman Islands
IPListEl Salvador
IPListGuatemala
IPListHonduras
IPListNicaragua
IPListCosta Rica
IPListVenezuela
IPListEcuador
IPListColombia
IPListPanama
IPListHaiti
IPListArgentina
IPListChile
IPListBolivia
IPListPeru
IPListMexico
IPListPuerto Rico
IPListU.S. Outlying Islands
IPListAmerican Samoa
IPListCanada
IPListUnited States
IPListPalestine
IPListSerbia
IPListAntarctica
IPListSouth Sudan
IPListTOR exit nodes IP Address List
IPListAmazon AMAZON
IPListAmazon EC2
IPListAmazon CLOUDFRONT
IPListAkamai Servers
IPListTOR relay nodes IP Address List
IPListAmazon AMAZON af-south-1
IPListZscaler IP Address List
IPListAmazon EC2 af-south-1
IPListAmazon AMAZON ap-east-1
IPListAmazon EC2 ap-east-1
IPListAmazon AMAZON ap-south-2
IPListAmazon EC2 ap-south-2
IPListAmazon AMAZON ap-northeast-1
IPListAmazon EC2 me-central-1
IPListAmazon AMAZON me-central-1
IPListAmazon EC2 ap-northeast-1
IPListAmazon AMAZON eu-south-2
IPListAmazon EC2 eu-south-2
IPListAmazon AMAZON eu-central-2
IPListAmazon EC2 eu-central-2
IPListAmazon AMAZON il-central-1
IPListAmazon AMAZON ap-northeast-2
IPListAmazon EC2 ap-northeast-2
IPListAmazon EC2 il-central-1
IPListAmazon AMAZON ap-northeast-3
IPListAmazon EC2 ap-northeast-3
IPListMalicious Site IP Address List
IPListAmazon AMAZON ap-southeast-6
IPListAmazon EC2 ap-southeast-6
IPListAmazon AMAZON ap-south-1
IPListAmazon EC2 ap-south-1
IPListAmazon CLOUDFRONT ap-south-1
IPListAmazon AMAZON ap-southeast-1
IPListAmazon EC2 ap-southeast-1
IPListAmazon AMAZON ap-southeast-2
IPListAmazon EC2 ap-southeast-2
IPListAmazon AMAZON ca-central-1
IPListAmazon EC2 ca-central-1
IPListAmazon AMAZON cn-north-1
IPListAmazon EC2 cn-north-1
IPListAmazon AMAZON cn-northwest-1
IPListAmazon EC2 cn-northwest-1
IPListAmazon AMAZON eu-central-1
IPListAmazon EC2 eu-central-1
IPListAmazon AMAZON eu-north-1
IPListAmazon EC2 eu-north-1
IPListAmazon AMAZON ap-southeast-5
IPListAmazon AMAZON eu-west-1
IPListAmazon EC2 ap-southeast-5
IPListAmazon EC2 eu-west-1
IPListAmazon AMAZON eu-west-2
IPListAmazon EC2 eu-west-2
IPListAmazon AMAZON eu-west-3
IPListAmazon EC2 eu-west-3
IPListAmazon AMAZON me-south-1
IPListAmazon EC2 me-south-1
IPListAmazon AMAZON sa-east-1
IPListAmazon EC2 sa-east-1
IPListAmazon AMAZON us-east-1
IPListAmazon EC2 us-east-1
IPListAmazon AMAZON eusc-de-east-1
IPListAmazon EC2 eusc-de-east-1
IPListAmazon AMAZON us-east-2
IPListAmazon EC2 us-east-2
IPListForcepoint Drop IP Address List
IPListAmazon AMAZON us-gov-east-1
IPListAmazon EC2 us-gov-east-1
IPListAmazon AMAZON us-gov-west-1
IPListAmazon EC2 us-gov-west-1
IPListAmazon AMAZON us-west-1
IPListAmazon EC2 us-west-1
IPListAmazon AMAZON us-west-2
IPListAmazon EC2 us-west-2
IPListAmazon AMAZON eu-south-1
IPListAmazon EC2 eu-south-1
IPListAmazon AMAZON ap-southeast-3
IPListAmazon EC2 ap-southeast-3
IPListAmazon AMAZON ap-east-2
IPListAmazon AMAZON mx-central-1
IPListAmazon AMAZON ap-southeast-7
IPListAmazon EC2 ap-southeast-7
IPListAmazon EC2 mx-central-1
IPListAmazon EC2 ap-east-2
IPListAmazon EC2 ap-southeast-4
IPListAmazon AMAZON ap-southeast-4
IPListAmazon AMAZON ca-west-1
IPListAmazon EC2 ca-west-1
SituationHTTP_CSU-Shared-Variables
ApplicationAkamai-Infrastructure
ApplicationTOR
ApplicationManoto
ApplicationDNS-Over-HTTPS

HOW TO IMPORT AND ACTIVATE THE DYNAMIC UPDATE PACKAGE

  1. Download the dynamic update package, then make sure that the checksums for the original files and the files that you have downloaded match.
  2. In the Management Client, select Menu > File > Import > Import Update Packages.
  3. Browse to the file, select it, then click Import.
  4. Select  Configuration, then browse to Administration > Other Elements > Updates.
  5. Right-click the imported dynamic update package, then select Activate.
  6. When the activation is finished, refresh the policy on all NGFW Engines. If your policy uses a custom template, you might need to edit the policy.

DISCLAIMER AND COPYRIGHT

Copyright © 2024 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.