Release notes for update package 1222-5242

This update package improves the detection capabilities of the Forcepoint LLM system.

RELEASE DATE:     Monday February 10, 2020
MD5 CHECKSUM:     be86f90794e4474373c7b49e27eee3f6
SHA1 CHECKSUM:     1937dda572485d05c4efbc24691c73bd699c1f3c
SHA256 CHECKSUM:     ae7ac2a5f5d5331ffebbadf2d8c6187c88288e8c2a189858e3d2c51c7c6651fe

UPDATE CRITICALITY:    HIGH

List of detected attacks in this update package:

Risk level Description Reference Vulnerability
High     Mozi botnet DHT traffic was detected     No CVE/CAN Mozi-Botnet-Traffic
High     Mozi botnet traffic was detected     No CVE/CAN Mozi-Botnet-Traffic
High     An attempt to exploit a vulnerability in Advantech WISE-PaaS/RMM detected     CVE-2019-18227     Advantech-WISE-PaaS-RMM-Wechatsignin-Wechattokenlogin-External-Entity-Injection
High     An attempt to exploit a vulnerability in Gila CMS Gila detected     CVE-2020-5513     Gila-CMS-DeleteAction-Local-File-Inclusion
High     An attempt to exploit a vulnerability in D-Link ssdpcgi function detected     CVE-2019-20215     D-Link-Devices-Unauthenticated-ssdpcgi-RCE
High     An attempt to exploit a vulnerability in Cesanta Mongoose detected     CVE-2019-19307     Cesanta-Mongoose-Parse_MQTT-DOS
High     An attempt to exploit a vulnerability in Apache Software Foundation Log4j detected     CVE-2019-17571     Apache-Log4j-SocketServer-Untrusted-Deserialization
High     An attempt to exploit a vulnerability in Cesanta Mongoose detected     CVE-2019-19307     Cesanta-Mongoose-Parse_MQTT-DOS

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

Any UDP Packet

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Mozi-Botnet-Traffic No CVE/CAN P2P-UDP_Mozi-Botnet-DHT-Traffic Suspected Botnet

UDP Packet Unknown

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High D-Link-Devices-Unauthenticated-ssdpcgi-RCE CVE-2019-20215 Generic_UDP-D-Link-Devices-Unauthenticated-ssdpcgi-RCE Suspected Compromise

TCP Client Stream Unknown

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Apache-Log4j-SocketServer-Untrusted-Deserialization CVE-2019-17571 Generic_CS-Apache-Log4j-SocketServer-Untrusted-Deserialization Potential Compromise
High Cesanta-Mongoose-Parse_MQTT-DOS CVE-2019-19307 Generic_CS-Cesanta-Mongoose-Parse_MQTT-DOS Suspected Compromise

TCP Server Stream Unknown

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Cesanta-Mongoose-Parse_MQTT-DOS CVE-2019-19307 Generic_TCP-Cesanta-Mongoose-Parse_MQTT-DOS Suspected Compromise

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Mozi-Botnet-Traffic No CVE/CAN HTTP_CRL-Mozi-Botnet-Traffic Suspected Botnet
High Advantech-WISE-PaaS-RMM-Wechatsignin-Wechattokenlogin-External-Entity-Injection CVE-2019-18227 HTTP_CRL-Advantech-WISE-PaaS-RMM-Wechatsignin-Wechattokenlogin-External-Entity-Injection Suspected Compromise
High Gila-CMS-DeleteAction-Local-File-Inclusion CVE-2020-5513 HTTP_CRL-Gila-CMS-DeleteAction-Local-File-Inclusion Suspected Compromise

Updated detected attacks:

SMTP Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High OpenSMTPD_Command-Injection_CVE-2020-7247 CVE-2020-7247 SMTP_CS-OpenSMTPD_Command-Injection_CVE-2020-7247 Suspected Compromise
Fingerprint regexp changed

TCP Client Stream Unknown

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High GE-Mds-Pulsenet-Remote-Invocation-Insecure-Deserialization CVE-2018-10611 Generic_CS-GE-Mds-Pulsenet-Remote-Invocation-Insecure-Deserialization Potential Compromise
Fingerprint regexp changed

LIST OF OTHER CHANGES:

New objects:

Type Name
Category Gila CMS
Category Cesanta Mongoose
Category Apache Software Foundation Log4j

Updated objects:

Type Name Changes
Appliance Information sg-120-0-C1.svg
Network Element TOR exit nodes
Situation URL_List-Known-Hostile-URL
Detection mechanism updated
Situation File_Malware-SHA1
Detection mechanism updated
IPList Amazon_CLOUDFRONT_us-east-1
IPList Amazon_AMAZON_us-east-1
IPList Amazon_AMAZON_cn-north-1
IPList TOR relay nodes IP Address List
IPList Akamai Servers
IPList Amazon_CLOUDFRONT
IPList TOR exit nodes IP Address List
IPList Amazon_AMAZON
IPList Google Servers

DISCLAIMER AND COPYRIGHT

The information in this document is provided only for educational purposes and for the convenience of Forcepoint customers. The information contained herein is subject to change without notice, and is provided "AS IS" without guarantee or warranty as to the accuracy or applicability of the information to any specific situation, circumstance, or system configuration - use at your own risk. Forcepoint does not warrant or endorse any third-party products described herein.

Forcepoint™ is a trademark of Forcepoint, LLC. SureView®, ThreatSeeker®, Triton®, Sidewinder®, and Stonesoft® are registered trademarks of Forcepoint, LLC. Raytheon® is a registered trademark of Raytheon Company. All other trademarks and registered trademarks are the property of their respective owners.

Copyright © 2000-2020 Forcepoint LLC. All rights reserved.