Release notes for update package 1818-5242

This update package improves the detection capabilities of the Forcepoint NGFW system.

RELEASE DATE:    Tuesday December 31, 2024
MD5 CHECKSUM:    8f20542005d93b888f10216ea5a5cff9
SHA1 CHECKSUM:    e97e04f352e4398652f8b87ff28a19f767fd76d7
SHA256 CHECKSUM:    30c5aec6522fd9db5e4e3f6513f15d04fb46fc4fb070d563299e18cbba5c3ab1


UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Forcepoint NGFW Security Management Center:    6.10.1.11125
- Forcepoint NGFW:    6.8.1.24103

List of detected attacks in this update package:

Risk levelDescriptionReferenceVulnerability
High     An attempt to exploit a vulnerability in LibreNMS detected     CVE-2024-50352     LibreNMS-Device-Overview-Stored-Cross-Site-Scripting
High     An attempt to exploit a vulnerability in Netgate pfSense detected     CVE-2024-46538     Netgate-Pfsense-Stored-Cross-Site-Scripting-CVE-2024-46538
High     An attempt to exploit a vulnerability in VMWare vCenter Server detected     CVE-2024-38812     VMware-Vcenter-Server-Out-Of-Bounds-Write-CVE-2024-38812
High     An attempt to exploit a vulnerability in Four-Faith router detected     CVE-2024-12856     Four-Faith-Routers-F3x24-F3x36-Remote-Command-Injection-CVE-2024-12856
High     An attempt to exploit a vulnerability in Zimbra Collaboration detected     CVE-2023-37580     Zimbra-Collaboration-Classic-Web-Client-Cross-Site-Scripting-CVE-2023-37580
High     An attempt to exploit a vulnerability in Zimbra Collaboration detected     CVE-2023-37580     Zimbra-Collaboration-Classic-Web-Client-Cross-Site-Scripting-CVE-2023-37580
High     An attempt to exploit a vulnerability in Teltonika RUT9XX routers detected     CVE-2018-17532     Teltonika-RUT9XX-Router-OS-Command-Injection-CVE-2018-17532

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Zimbra-Collaboration-Classic-Web-Client-Cross-Site-Scripting-CVE-2023-37580 CVE-2023-37580 HTTP_CSU-Zimbra-Collaboration-Classic-Web-Client-Cross-Site-Scripting-CVE-2023-37580 Suspected Compromise

MSRPC Client Payload Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High VMware-Vcenter-Server-Out-Of-Bounds-Write-CVE-2024-38812 CVE-2024-38812 MSRPC-TCP_CPS-VMware-Vcenter-Server-Out-Of-Bounds-Write-CVE-2024-38812 Suspected Compromise

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High LibreNMS-Device-Overview-Stored-Cross-Site-Scripting CVE-2024-50352 HTTP_CRL-LibreNMS-Device-Overview-Stored-Cross-Site-Scripting Suspected Compromise
High Netgate-Pfsense-Stored-Cross-Site-Scripting-CVE-2024-46538 CVE-2024-46538 HTTP_CRL-Netgate-Pfsense-Stored-Cross-Site-Scripting-CVE-2024-46538 Suspected Compromise
High Teltonika-RUT9XX-Router-OS-Command-Injection-CVE-2018-17532 CVE-2018-17532 HTTP_CRL-Teltonika-RUT9XX-Router-OS-Command-Injection-CVE-2018-17532 Suspected Compromise
High Four-Faith-Routers-F3x24-F3x36-Remote-Command-Injection-CVE-2024-12856 CVE-2024-12856 HTTP_CRL-Four-Faith-Routers-F3x24-F3x36-Remote-Command-Injection-CVE-2024-12856 Suspected Compromise

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Zimbra-Collaboration-Classic-Web-Client-Cross-Site-Scripting-CVE-2023-37580 CVE-2023-37580 File-Text_Zimbra-Collaboration-Classic-Web-Client-Cross-Site-Scripting-CVE-2023-37580 Suspected Compromise

Updated detected attacks:

HTTP Request Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High D-Link-HNAP-SOAPAction-Header-Command-Execution CVE-2015-2051 HTTP_CSH-D-Link-HNAP-SOAPAction-Header-Command-Execution Suspected Compromise
Description has changed
Category tag group CVE2019 added
Category tag group CVE2022 added
Category tag group CVE2024 added
Fingerprint regexp changed

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High LibreNMS-Aboutcontroller.php-Command-Injection CVE-2024-51092 HTTP_CRL-LibreNMS-Aboutcontroller-Command-Injection Suspected Compromise
Fingerprint regexp changed
High Pfsense-Post-Auth-Group-Member-Command-Execution No CVE/CAN HTTP_CRL-Pfsense-Post-Auth-Group-Member-Command-Execution Suspected Compromise
Name: HTTP_CRL-Pfsense_Post_Auth_Command_Execution->HTTP_CRL-Pfsense-Post-Auth-Group-Member-Command-Execution
Description has changed
Fingerprint regexp changed
High Netlink-GPON-Router-Remote-Code-Execution No CVE/CAN HTTP_CRL-Netlink-GPON-Router-Remote-Code-Execution Suspected Compromise
Fingerprint regexp changed

LIST OF OTHER CHANGES:

New objects:

TypeName
CategoryFour-Faith Router
CategoryTeltonika RUT9XX

Updated objects:

TypeNameChanges
SituationURL_List-DNS-Over-HTTPS
Detection mechanism updated
IPListTOR exit nodes IP Address List
IPListTOR relay nodes IP Address List
IPListMicrosoft Intune IP Address List
IPListBotnet IP Address List
IPListMalicious Site IP Address List
IPListNordVPN Servers IP Address List
IPListForcepoint Drop IP Address List
SituationHTTP_CSU-Shared-Variables
SituationHTTP_CRL-Pfsense-Authenticated-Group-Member-Remote-Command-Execution
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os FreeBSD removed
Category tag hardware Any Hardware removed
Category tag application PfSense removed
Category tag os_not_specific FreeBSD not specific removed
Category tag situation Suspected Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Fingerprint regexp changed
ApplicationTOR
ApplicationDNS-Over-HTTPS
ApplicationMicrosoft-Intune
ApplicationNordVPN

HOW TO IMPORT AND ACTIVATE THE DYNAMIC UPDATE PACKAGE

  1. Download the dynamic update package, then make sure that the checksums for the original files and the files that you have downloaded match.
  2. In the Management Client, select Menu > File > Import > Import Update Packages.
  3. Browse to the file, select it, then click Import.
  4. Select  Configuration, then browse to Administration > Other Elements > Updates.
  5. Right-click the imported dynamic update package, then select Activate.
  6. When the activation is finished, refresh the policy on all NGFW Engines. If your policy uses a custom template, you might need to edit the policy.

DISCLAIMER AND COPYRIGHT

Copyright © 2024 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.