Release notes for update package 1242-5242

This update package improves the detection capabilities of the Forcepoint LLM system.

RELEASE DATE:     Thursday April 16, 2020
MD5 CHECKSUM:     c2652ddc990368b681bf77ece2a8552f
SHA1 CHECKSUM:     e2a35a6060da2528adc6a96ec3384b17173e5fb5
SHA256 CHECKSUM:     c245a28a8c128a45686d1afb4d556e88e0d82e3d431a15ecdc9779a482cdea56

UPDATE CRITICALITY:    HIGH

List of detected attacks in this update package:

Risk level Description Reference Vulnerability
High     An attempt to exploit a vulnerability in Schneider Electric IGSS detected     CVE-2020-7478     Schneider-Electric-IGSS-IGSSupdateservice-Directory-Traversal
High     An attempt to exploit a vulnerability in Advantech WISE-PaaS/RMM detected     CVE-2019-18229     Advantech-WISE-PaaS-RMM-SQLMgmt-Qrydata-SQL-Injection
High     An attempt to exploit a vulnerability in Apache Software Foundation Dubbo detected     CVE-2019-17564     Apache-Dubbo-Httpremoteinvocation-Insecure-Deserialization

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

TCP Client Stream Unknown

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Schneider-Electric-IGSS-IGSSupdateservice-Directory-Traversal CVE-2020-7478 Generic_CS-Schneider-Electric-IGSS-IGSSupdateservice-Directory-Traversal Suspected Compromise

Text File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Advantech-WISE-PaaS-RMM-SQLMgmt-Qrydata-SQL-Injection CVE-2019-18229 File-Text_Advantech-WISE-PaaS-RMM-SQLMgmt-Qrydata-SQL-Injection Suspected Compromise

Other Binary File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Apache-Dubbo-Httpremoteinvocation-Insecure-Deserialization CVE-2019-17564 File-Binary_Apache-Dubbo-Httpremoteinvocation-Insecure-Deserialization Suspected Compromise

Updated detected attacks:

MSRPC Client Payload Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Advantech-WebAccess-Scada-Bwpalarm-IOCTL-70022-Heap-Buffer-Overflow No CVE/CAN MSRPC-TCP_CPS-Advantech-WebAccess-Scada-Bwpalarm-IOCTL-70022-Heap-Buffer-Overflow Suspected Compromise
Fingerprint regexp changed

Text File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High JavaScript-Obfuscation No CVE/CAN File-Text_Aaencode-Obfuscated-Script-Detected Suspected Attack Related Anomalies
Fingerprint regexp changed

LIST OF OTHER CHANGES:

New objects:

Type Name
Category Apache Dubbo
Situation IP_Webex_Server

Updated objects:

Type Name Changes
Network Element TOR exit nodes
Application Webex-Teams
Application detection context content changed
Application Port "udp/5004 tls: no" removed
Application Port "udp/33434-33598 tls: no" removed
IPList Amazon EC2 us-east-1
IPList Amazon AMAZON us-east-1
IPList Amazon AMAZON us-west-2
IPList Amazon EC2 us-west-2
IPList Amazon AMAZON af-south-1
IPList TOR relay nodes IP Address List
IPList Webex Servers IP Address List
IPList Amazon EC2
IPList TOR exit nodes IP Address List
IPList Amazon AMAZON
IPList Microsoft Office 365 Common and Office Online

DISCLAIMER AND COPYRIGHT

The information in this document is provided only for educational purposes and for the convenience of Forcepoint customers. The information contained herein is subject to change without notice, and is provided "AS IS" without guarantee or warranty as to the accuracy or applicability of the information to any specific situation, circumstance, or system configuration - use at your own risk. Forcepoint does not warrant or endorse any third-party products described herein.

Forcepoint™ is a trademark of Forcepoint, LLC. SureView®, ThreatSeeker®, Triton®, Sidewinder®, and Stonesoft® are registered trademarks of Forcepoint, LLC. Raytheon® is a registered trademark of Raytheon Company. All other trademarks and registered trademarks are the property of their respective owners.

Copyright © 2000-2020 Forcepoint LLC. All rights reserved.