Release notes for update package 1371-5242

This update package improves the detection capabilities of the Forcepoint LLM system.

RELEASE DATE:     Monday July 26, 2021
MD5 CHECKSUM:     290b149d1737c6d6fb5b119b26ce476e
SHA1 CHECKSUM:     30a93df578dfec4fdf6ee7c8593cf0821ef472fd
SHA256 CHECKSUM:     791d02c682ba68e36139819124d9e437ca07f59ad6af6a15e26b360a0f6be401

UPDATE CRITICALITY:    HIGH

List of detected attacks in this update package:

Risk level Description Reference Vulnerability
High     An attempt to exploit a vulnerability in ManageEngine Applications Manager detected     CVE-2021-31813     Zoho-Manageengine-Applications-Manager-Userconfigurationaction-XSS
High     Malicious obfuscated JavaScript and VBScript, leading to malware download was detected     No CVE/CAN Malicious-Obsucation-JavaScript-VBScript-HTML
High     An attempt to exploit a vulnerability in Apache Software Foundation Struts detected     CVE-2017-9791     Apache-Struts-2-Struts-1-Plugin-Remote-Code-Execution
High     An attempt to exploit a vulnerability in WebSVN WebSVN detected     CVE-2021-32305     Websvn-Search-Command-Injection
High     An attempt to exploit a vulnerability in Microsoft Windows Remote Desktop detected.     CVE-2019-1181     Microsoft-Windows-RDS-DVC-Decompression-Heap-Buffer-Overflow
High     An attempt to exploit a vulnerability in Microsoft Windows Server detected.     CVE-2019-1206     Microsoft-Windows-DHCP-Server-Failover-DoS
High     IcedID trojan infection traffic was detected     No CVE/CAN IcedID-Trojan-Infection-Traffic
High     An attempt to exploit a vulnerability in icrosoft Windows Jet Database Engine detected.     CVE-2019-1249     Microsoft-Windows-Jet-Database-CVE-2019-1249-RCE
High     An attempt to exploit a vulnerability in Adobe Systems Acrobat Reader     CVE-2021-28639     Adobe-Acrobat-Reader-Dc-Window-Procedure-wm_setFocus-Use-After-Free
Low     A vulnerability in OpenSSL detected.     CVE-2021-3449     OpenSSL-TLS-Server-Renegotiation-Null-Pointer-Dereference

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTPS Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
Low OpenSSL-TLS-Server-Renegotiation-Null-Pointer-Dereference CVE-2021-3449 HTTPS_CS-OpenSSL-TLS-Server-Renegotiation-Null-Pointer-Dereference Potential Denial of Service

TCP Client Stream Unknown

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Microsoft-Windows-RDS-DVC-Decompression-Heap-Buffer-Overflow CVE-2019-1181 Generic_CS-Microsoft-Windows-RDS-DVC-Decompression-Heap-Buffer-Overflow Potential Compromise
High Microsoft-Windows-DHCP-Server-Failover-DoS CVE-2019-1206 Generic_CS-Microsoft-Windows-DHCP-Server-Failover-DoS Suspected Denial of Service

HTTP Request Header Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High IcedID-Trojan-Infection-Traffic No CVE/CAN HTTP_CSH-IcedID-Trojan-Infection-Traffic Suspected Botnet

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Apache-Struts-2-Struts-1-Plugin-Remote-Code-Execution CVE-2017-9791 HTTP_CRL-Apache-Struts-2-Struts-1-Plugin-Remote-Code-Execution Suspected Compromise
High Websvn-Search-Command-Injection CVE-2021-32305 HTTP_CRL-Websvn-Search-Command-Injection Suspected Compromise

Text File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Zoho-Manageengine-Applications-Manager-Userconfigurationaction-XSS CVE-2021-31813 File-Text_Zoho-Manageengine-Applications-Manager-Userconfigurationaction-Cross-Site-Scripting Suspected Compromise
High Malicious-Obsucation-JavaScript-VBScript-HTML No CVE/CAN File-Text_Malicious-Obfuscated-JavaScript-VBScript-Detected Suspected Attack Related Anomalies

Other Binary File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Microsoft-Windows-Jet-Database-CVE-2019-1249-RCE CVE-2019-1249 File-Binary_Microsoft-Windows-Jet-Database-CVE-2019-1249-RCE Potential Compromise

PDF File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Adobe-Acrobat-Reader-Dc-Window-Procedure-wm_setFocus-Use-After-Free CVE-2021-28639 File-PDF_Adobe-Acrobat-Reader-Dc-Window-Procedure-wm_setFocus-Use-After-Free Suspected Compromise

Updated detected attacks:

HTTP Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Maze-Ransomware-Traffic No CVE/CAN HTTP_CS-Maze-Ransomware-Traffic Potential Botnet
Detection mechanism updated

DNS UDP Client Message

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High ISC-Bind-Tsig-Validation-Denial-Of-Service CVE-2020-8617 DNS-UDP_ISC-Bind-Tsig-Validation-Denial-Of-Service Suspected Compromise
Fingerprint regexp changed

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Advantech-WebAccess-Scada-Bwmainleft-Cross-Site-Scripting CVE-2018-15707 HTTP_CRL-Advantech-WebAccess-Scada-Bwmainleft-Cross-Site-Scripting Suspected Compromise
Fingerprint regexp changed
High HomeMatic-CCU2-RCE CVE-2018-7297 HTTP_CRL-HomeMatic-CCU2-RCE Suspected Compromise
Fingerprint regexp changed
High F5-iControl-Rest-Unauthenticated-RCE-CVE-2021-22986 CVE-2021-22986 HTTP_CRL-F5-iControl-Rest-Unauthenticated-RCE-CVE-2021-22986 Suspected Compromise
Detection mechanism updated

LIST OF OTHER CHANGES:

New objects:

Type Name
Category WebSVN
IPList Amazon AMAZON_APPFLOW af-south-1
Element Ref 115
Element Ref 117

Updated objects:

Type Name Changes
IPList Rwanda
IPList Somalia
IPList Yemen
IPList Iraq
IPList Saudi Arabia
IPList Iran
IPList Cyprus
IPList Tanzania
IPList Syria
IPList Armenia
IPList Kenya
IPList DR Congo
IPList Djibouti
IPList Uganda
IPList Central African Republic
IPList Seychelles
IPList Jordan
IPList Lebanon
IPList Kuwait
IPList Oman
IPList Qatar
IPList Bahrain
IPList United Arab Emirates
IPList Israel
IPList Turkey
IPList Ethiopia
IPList Eritrea
IPList Egypt
IPList Sudan
IPList Greece
IPList Burundi
IPList Estonia
IPList Latvia
IPList Azerbaijan
IPList Lithuania
IPList Georgia
IPList Moldova
IPList Belarus
IPList Finland
IPList Ukraine
IPList North Macedonia
IPList Hungary
IPList Bulgaria
IPList Albania
IPList Poland
IPList Romania
IPList Zimbabwe
IPList Zambia
IPList Comoros
IPList Malawi
IPList Lesotho
IPList Botswana
IPList Mauritius
IPList Eswatini
IPList Réunion
IPList South Africa
IPList Mayotte
IPList Mozambique
IPList Madagascar
IPList Afghanistan
IPList Pakistan
IPList Bangladesh
IPList Turkmenistan
IPList Tajikistan
IPList Sri Lanka
IPList Bhutan
IPList India
IPList Maldives
IPList British Indian Ocean Territory
IPList Nepal
IPList Myanmar
IPList Uzbekistan
IPList Kazakhstan
IPList Kyrgyzstan
IPList Heard Island and McDonald Islands
IPList Palau
IPList Vietnam
IPList Thailand
IPList Indonesia
IPList Laos
IPList Taiwan
IPList Philippines
IPList Malaysia
IPList China
IPList Hong Kong
IPList Brunei
IPList Macao
IPList Cambodia
IPList South Korea
IPList Japan
IPList North Korea
IPList Singapore
IPList Cook Islands
IPList East Timor
IPList Russia
IPList Mongolia
IPList Australia
IPList Marshall Islands
IPList Federated States of Micronesia
IPList Papua New Guinea
IPList Solomon Islands
IPList Tuvalu
IPList Nauru
IPList Vanuatu
IPList New Caledonia
IPList Norfolk Island
IPList New Zealand
IPList Fiji
IPList Libya
IPList Cameroon
IPList Senegal
IPList Congo Republic
IPList Portugal
IPList Liberia
IPList Ivory Coast
IPList Ghana
IPList Equatorial Guinea
IPList Nigeria
IPList Burkina Faso
IPList Togo
IPList Guinea-Bissau
IPList Mauritania
IPList Benin
IPList Gabon
IPList Sierra Leone
IPList São Tomé and Príncipe
IPList Gibraltar
IPList Gambia
IPList Guinea
IPList Chad
IPList Niger
IPList Mali
IPList Tunisia
IPList Spain
IPList Morocco
IPList Malta
IPList Algeria
IPList Faroe Islands
IPList Denmark
IPList Iceland
IPList United Kingdom
IPList Switzerland
IPList Sweden
IPList Netherlands
IPList Austria
IPList Belgium
IPList Germany
IPList Luxembourg
IPList Ireland
IPList Principality of Monaco
IPList France
IPList Andorra
IPList Liechtenstein
IPList Jersey
IPList Isle of Man
IPList Guernsey
IPList Slovakia
IPList Czechia
IPList Norway
IPList Vatican City
IPList San Marino
IPList Italy
IPList Slovenia
IPList Montenegro
IPList Croatia
IPList Bosnia and Herzegovina
IPList Angola
IPList Namibia
IPList Barbados
IPList Cabo Verde
IPList Guyana
IPList French Guiana
IPList Suriname
IPList Saint Pierre and Miquelon
IPList Greenland
IPList Paraguay
IPList Uruguay
IPList Brazil
IPList Jamaica
IPList Dominican Republic
IPList Cuba
IPList Martinique
IPList Bahamas
IPList Bermuda
IPList Trinidad and Tobago
IPList St Kitts and Nevis
IPList Dominica
IPList Antigua and Barbuda
IPList Turks and Caicos Islands
IPList Aruba
IPList British Virgin Islands
IPList Saint Vincent and the Grenadines
IPList Montserrat
IPList Saint Martin
IPList Saint Barthélemy
IPList Guadeloupe
IPList Grenada
IPList Cayman Islands
IPList Belize
IPList El Salvador
IPList Guatemala
IPList Honduras
IPList Nicaragua
IPList Costa Rica
IPList Venezuela
IPList Ecuador
IPList Colombia
IPList Panama
IPList Haiti
IPList Argentina
IPList Chile
IPList Bolivia
IPList Peru
IPList Mexico
IPList French Polynesia
IPList Kiribati
IPList Tonga
IPList Wallis and Futuna
IPList Samoa
IPList Niue
IPList Northern Mariana Islands
IPList Guam
IPList Puerto Rico
IPList U.S. Virgin Islands
IPList American Samoa
IPList Canada
IPList United States
IPList Palestine
IPList Serbia
IPList Curaçao
IPList South Sudan
IPList TOR exit nodes IP Address List
IPList Amazon AMAZON
IPList Amazon EC2
IPList TOR relay nodes IP Address List
IPList Botnet IP Address List
IPList Malicious Site IP Address List
IPList Amazon AMAZON eu-west-3
IPList Amazon AMAZON us-east-1
IPList Amazon AMAZON us-gov-east-1
IPList Amazon AMAZON us-gov-west-1
IPList Amazon AMAZON us-west-1
IPList Amazon EC2 us-west-1
IPList Amazon AMAZON us-west-2
IPList Amazon EC2 us-west-2
IPList Amazon AMAZON ap-southeast-3
IPList Amazon EC2 ap-southeast-3
IPList Amazon AMAZON_APPFLOW
IPList Amazon AMAZON_APPFLOW ap-northeast-1
IPList Amazon AMAZON_APPFLOW ap-northeast-2
IPList Amazon AMAZON_APPFLOW ap-southeast-1
IPList Amazon AMAZON_APPFLOW ap-southeast-2
IPList Amazon AMAZON_APPFLOW ap-south-1
IPList Amazon AMAZON_APPFLOW ca-central-1
IPList Amazon AMAZON_APPFLOW eu-west-1
IPList Amazon AMAZON_APPFLOW eu-west-2
IPList Amazon AMAZON_APPFLOW eu-west-3
IPList Amazon AMAZON_APPFLOW eu-central-1
IPList Amazon AMAZON_APPFLOW us-west-1
IPList Amazon AMAZON_APPFLOW us-west-2
IPList Amazon AMAZON_APPFLOW us-east-1
IPList Amazon AMAZON_APPFLOW us-east-2
IPList Amazon AMAZON_APPFLOW sa-east-1
Situation Generic_SS-Shared-Variables-Fingerprint
Fingerprint regexp changed
Situation HTTP_CSU-Shared-Variables
Application Amazon-AWS
Application detection context content changed

DISCLAIMER AND COPYRIGHT

Copyright © 2021 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.