Release notes for update package 1820-5242

This update package improves the detection capabilities of the Forcepoint NGFW system.

RELEASE DATE:    Tuesday January 07, 2025
MD5 CHECKSUM:    79063a5cf9026b0d2de5170838ca79d3
SHA1 CHECKSUM:    0f97e40cd383e3650f45a2e8ef237b7d44b04fd7
SHA256 CHECKSUM:    552c3b67d2d3456473c4487fed9f1c47c817861eafe2ec3305386dfd9e6ac024


UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Forcepoint NGFW Security Management Center:    6.10.1.11125
- Forcepoint NGFW:    6.8.1.24103

List of detected attacks in this update package:

Risk levelDescriptionReferenceVulnerability
High     An attempt to exploit a vulnerability in CyberPanel detected     CVE-2024-51568     Cyberpanel-Remote-Code-Execution-Via-completePath-Parameter-CVE-2024-51568
High     An attempt to exploit a vulnerability in Jenkins Jenkins detected     CVE-2024-47855     Jenkins-Core-JSON-Lib-Denial-Of-Service
High     An attempt to exploit a vulnerability in Moodle detected     CVE-2024-43425     Moodle-Calculated-Question-Types-Remote-Code-Execution-CVE-2024-43425
High     An attempt to exploit a vulnerability in Microsoft Windows Server detected     CVE-2024-38073     Microsoft-Windows-Rdl-Service-Tlsrpcchallengeserver-Handling-Two-Vulnerabilities
High     An attempt to exploit a vulnerability in RoundCube Webmail detected     CVE-2023-43770     Roundcube-Webmail-Linkref-Cross-Site-Scripting-CVE-2023-43770
Low     Request to a deprecated Airflow Experimental API detected     CVE-2020-13927     Apache-Airflow-Experimental-API-Authentication-Bypass-CVE-2020-13927

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Jenkins-Core-JSON-Lib-Denial-Of-Service CVE-2024-47855 HTTP_CS-Jenkins-Core-JSON-Lib-Denial-Of-Service Suspected Compromise

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
Low Apache-Airflow-Experimental-API-Authentication-Bypass-CVE-2020-13927 CVE-2020-13927 HTTP_CSU-Apache-Airflow-Experimental-API-Request Possibly Unwanted Content

MSRPC Client Payload Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Microsoft-Windows-Rdl-Service-Tlsrpcchallengeserver-Handling-Two-Vulnerabilities CVE-2024-38073 MSRPC-TCP_CPS-Microsoft-Windows-Rdl-Service-Tlsrpcchallengeserver-Handling-Two-Vulnerabilities Suspected Compromise

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Cyberpanel-Remote-Code-Execution-Via-completePath-Parameter-CVE-2024-51568 CVE-2024-51568 HTTP_CRL-Cyberpanel-Remote-Code-Execution-Via-completePath-Parameter-CVE-2024-51568 Suspected Compromise
High Moodle-Calculated-Question-Types-Remote-Code-Execution-CVE-2024-43425 CVE-2024-43425 HTTP_CRL-Moodle-Calculated-Question-Types-Remote-Code-Execution-CVE-2024-43425 Suspected Compromise

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Roundcube-Webmail-Linkref-Cross-Site-Scripting-CVE-2023-43770 CVE-2023-43770 File-Text_Roundcube-Webmail-Linkref-Cross-Site-Scripting-CVE-2023-43770 Potential Compromise

Updated detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Cyberpanel-Remote-Code-Execution-CVE-2024-51567 CVE-2024-51567 HTTP_CS-Cyberpanel-Remote-Code-Execution-CVE-2024-51567 Suspected Compromise
Fingerprint regexp changed

SMTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Dovecot-Rfc822_Parse_Domain-Out-Of-Bounds-Read CVE-2017-14461 SMTP_CS-Dovecot-Rfc822_Parse_Domain-Out-Of-Bounds-Read Suspected Compromise
Fingerprint regexp changed
Critical OpenSMTPD_Command-Injection_CVE-2020-7247 CVE-2020-7247 SMTP_CS-OpenSMTPD-Command-Injection-CVE-2020-7247 Compromise
Name: SMTP_CS-OpenSMTPD_Command-Injection_CVE-2020-7247->SMTP_CS-OpenSMTPD-Command-Injection-CVE-2020-7247
Fingerprint regexp changed

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High NetGear-R7000-And-R6400-Cgi-Bin-Command-Injection CVE-2016-6277 HTTP_CSU-Cgi-Bin-Command-Injection Suspected Compromise
Fingerprint regexp changed
High D-Link-DSL-2750B-Command-Injection CVE-2016-20017 HTTP_CSU-D-Link-DSL-2750B-Command-Injection Suspected Compromise
Fingerprint regexp changed
High Ray-OS-Command-Injection-Via-Format-Parameter-CVE-2023-6019 CVE-2023-6019 HTTP_CSU-Ray-OS-Command-Injection-Via-Format-Parameter-CVE-2023-6019 Suspected Compromise
Fingerprint regexp changed

HTTP Request Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
Critical HTTP-WWW-File-Share-Pro-Directory-Traversal CVE-2004-0059 HTTP_CSH-File-Name-Directory-Traversal Compromise
Fingerprint regexp changed
High D-Link-HNAP-SOAPAction-Header-Command-Execution CVE-2015-2051 HTTP_CSH-D-Link-HNAP-SOAPAction-Header-Command-Execution Suspected Compromise
Fingerprint regexp changed

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Geutebruck-Multiple-RCE-CVE-2021-335xx CVE-2021-33543 HTTP_CRL-Geutebruck-Multiple-RCE-CVE-2021-335xx Suspected Compromise
Fingerprint regexp changed
High Roundcube-Webmail-RCE-Via-Config-Setting-CVE-2020-12641 CVE-2020-12641 HTTP_CRL-Roundcube-Webmail-ECE-Via-Config-Setting-CVE-2020-12641 Suspected Compromise
Fingerprint regexp changed
High LG-N1A1-NAS-Remote-Command-Execution-CVE-2018-14839 CVE-2018-14839 HTTP_CRL-LG-N1A1-NAS-Remote-Command-Execution-CVE-2018-14839 Suspected Compromise
Fingerprint regexp changed
High Sunhillo-Sureline-Command-Injection-CVE-2021-36380 CVE-2021-36380 HTTP_CRL-Sunhillo-Sureline-Command-Injection-CVE-2021-36380 Suspected Compromise
Fingerprint regexp changed
High Korenix-Jetwave-Command-Injection-CVE-2023-23294 CVE-2023-23294 HTTP_CRL-Korenix-Jetwave-Command-Injection-CVE-2023-23294 Suspected Compromise
Fingerprint regexp changed
High VMware-SD-WAN-Edge-Command-Injection-Vulnerability-CVE-2018-6961 CVE-2018-6961 HTTP_CRL-VMware-SD-WAN-Edge-Command-Injection-Vulnerability-CVE-2018-6961 Suspected Compromise
Fingerprint regexp changed
High Netgate-Pfsense-Command-Injection-CVE-2023-42326 CVE-2023-42326 HTTP_CRL-Netgate-Pfsense-Command-Injection-CVE-2023-42326 Suspected Compromise
Fingerprint regexp changed
High FXC-AE1021PE-Router-Command-Injection-CVE-2023-49897 CVE-2023-49897 HTTP_CRL-FXC-AE1021PE-Router-Command-Injection-CVE-2023-49897 Suspected Compromise
Fingerprint regexp changed
High LB-Link-Command-Injection-CVE-2023-26801 CVE-2023-26801 HTTP_CRL-LB-Link-Command-Injection-CVE-2023-26801 Suspected Compromise
Fingerprint regexp changed
High Avtech-IP-Camera-AVM1203-Command-Injection-CVE-2024-7029 CVE-2024-7029 HTTP_CRL-Avtech-IP-Camera-AVM1203-Command-Injection-CVE-2024-7029 Suspected Compromise
Fingerprint regexp changed
High Avtech-IP-Camera-Multiple-Command-Injection-Vulnerabilities No CVE/CAN HTTP_CRL-Avtech-IP-Camera-Multiple-Command-Injection-Vulnerabilities Suspected Compromise
Fingerprint regexp changed
High Palo-Alto-Expedition-OS-Command-Injection-CVE-2024-9464 CVE-2024-9464 HTTP_CRL-Palo-Alto-Expedition-OS-Command-Injection-CVE-2024-9464 Suspected Compromise
Fingerprint regexp changed
High VHD-PTZ-Camera-Firmware-Command-Injection-CVE-2024-8957 CVE-2024-8957 HTTP_CRL-VHD-PTZ-Camera-Firmware-Command-Injection-CVE-2024-8957 Suspected Compromise
Fingerprint regexp changed
High Palo-Alto-SSLVPN-Command-Execution-CVE-2024-9474 CVE-2024-9474 HTTP_CRL-Palo-Alto-SSLVPN-Command-Execution-CVE-2024-9474 Suspected Compromise
Fingerprint regexp changed
High LibreNMS-Authenticated-Command-Injection-CVE-2024-51092 CVE-2024-51092 HTTP_CRL-LibreNMS-Authenticated-Command-Injection-CVE-2024-51092 Suspected Compromise
Fingerprint regexp changed
High Digiever-DS2105-Pro-Remote-Code-Execution No CVE/CAN HTTP_CRL-Digiever-DS2105-Pro-Remote-Code-Execution Suspected Compromise
Fingerprint regexp changed
High Teltonika-RUT9XX-Router-OS-Command-Injection-CVE-2018-17532 CVE-2018-17532 HTTP_CRL-Teltonika-RUT9XX-Router-OS-Command-Injection-CVE-2018-17532 Suspected Compromise
Fingerprint regexp changed
High Four-Faith-Routers-F3x24-F3x36-Remote-Command-Injection-CVE-2024-12856 CVE-2024-12856 HTTP_CRL-Four-Faith-Routers-F3x24-F3x36-Remote-Command-Injection-CVE-2024-12856 Suspected Compromise
Fingerprint regexp changed
High Ivanti-Connect-Secure-Authenticated-Crlf-Injection-CVE-2024-37404 CVE-2024-37404 HTTP_CRL-Ivanti-Connect-Secure-Authenticated-Crlf-Injection-CVE-2024-37404 Suspected Compromise
Detection mechanism updated
High D-Link-TRENDnet-NCC-Service-Command-Injection CVE-2015-1187 HTTP_CRL-D-Link-TRENDnet-NCC-Service-Command-Injection Suspected Compromise
Fingerprint regexp changed
High Pfsense-Post-Auth-Group-Member-Command-Execution No CVE/CAN HTTP_CRL-Pfsense-Post-Auth-Group-Member-Command-Execution Suspected Compromise
Fingerprint regexp changed
High PAN-OS-GlobalProtect-Remote-Code-Execution-CVE-2019-1579 CVE-2019-1579 HTTP_CRL-PAN-OS-GlobalProtect-Remote-Code-Execution-CVE-2019-1579 Suspected Compromise
Fingerprint regexp changed

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Suspicious-Jsp-File-Upload No CVE/CAN File-Text_Suspicious-Jsp-File-Upload Suspected Compromise
Fingerprint regexp changed

LIST OF OTHER CHANGES:

Updated objects:

TypeNameChanges
IPListTOR exit nodes IP Address List
IPListAkamai Servers
IPListTOR relay nodes IP Address List
IPListMalicious Site IP Address List
IPListNordVPN Servers IP Address List
SituationHTTP_CSU-Shared-Variables
SituationHTTP_CS-Cyberpanel-Incorrect-Default-Permissions-Vulnerability
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application CyberPanel removed
Category tag group CVE2024 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Potential Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
SituationHTTP_CS-Shared-Variables-For-Client-Stream-Context
Fingerprint regexp changed
SituationE-Mail_HCS-Shared-Variables
Fingerprint regexp changed
SituationFile-Text_Shared-Variables
Fingerprint regexp changed
ApplicationAkamai-Infrastructure
ApplicationTOR
ApplicationManoto
ApplicationNordVPN

HOW TO IMPORT AND ACTIVATE THE DYNAMIC UPDATE PACKAGE

  1. Download the dynamic update package, then make sure that the checksums for the original files and the files that you have downloaded match.
  2. In the Management Client, select Menu > File > Import > Import Update Packages.
  3. Browse to the file, select it, then click Import.
  4. Select  Configuration, then browse to Administration > Other Elements > Updates.
  5. Right-click the imported dynamic update package, then select Activate.
  6. When the activation is finished, refresh the policy on all NGFW Engines. If your policy uses a custom template, you might need to edit the policy.

DISCLAIMER AND COPYRIGHT

Copyright © 2025 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.