This update package improves the detection capabilities of the Forcepoint LLM system.
| RELEASE DATE: |
Wednesday September 29, 2021 |
| MD5 CHECKSUM: |
9843ab7ef294e29a761ad6b27a928630 |
| SHA1 CHECKSUM: |
5f9f402b2b57d1b153fba3f1aad1c9bad64428c8 |
| SHA256 CHECKSUM: |
70b663ad8ae69dc3f6ceec89bae63a5b6f1abf4991fcd9b7a485b6728c2ca2f1 |
UPDATE CRITICALITY: HIGH
List of detected attacks in this update package:
Jump to: Detected Attacks Other Changes
DETECTED ATTACKS
New detected attacks:
DNS UDP Client Message
| Risk |
Vulnerability/Situation |
References |
Related Fingerprint |
Situation Type |
|
High |
PowerDNS-Authoritative-Server-CVE-2021-36754-DoS |
CVE-2021-36754 |
DNS-UDP_PowerDNS-Authoritative-Server-CVE-2021-36754-DoS |
Suspected Compromise |
TCP Client Stream Unknown
| Risk |
Vulnerability/Situation |
References |
Related Fingerprint |
Situation Type |
|
High |
Schneider-Electric-C-Bus-Toolkit-FILE-UPLOAD-Unrestricted-File-Upload |
CVE-2021-22719 |
Generic_CS-Schneider-Electric-C-Bus-Toolkit-FILE-UPLOAD-Unrestricted-File-Upload |
Suspected Compromise |
TCP Server Stream Unknown
| Risk |
Vulnerability/Situation |
References |
Related Fingerprint |
Situation Type |
|
High |
Oracle-Business-Intelligence-Publisher-Xdo-Xml-External-Entity-Injection |
CVE-2021-2400 |
Generic_TCP-Oracle-Business-Intelligence-Publisher-Xdo-Xml-External-Entity-Injection |
Suspected Disclosure |
HTTP Request URI
| Risk |
Vulnerability/Situation |
References |
Related Fingerprint |
Situation Type |
|
High |
Oracle-Oss-Support-Tools-Diagnostic-Assistant-External-Entity-Injection |
CVE-2021-2303 |
HTTP_CSU-Oracle-Oss-Support-Tools-Diagnostic-Assistant-External-Entity-Injection |
Suspected Compromise |
|
High |
Vcenter-Server-Arbitrary-File-Upload-CVE-2021-22005 |
CVE-2021-22005 |
HTTP_CSU-Vcenter-Server-Arbitrary-File-Upload-CVE-2021-22005 |
Suspected Compromise |
|
High |
FoggyWeb-Backdoor-C2-Traffic |
No CVE/CAN |
HTTP_CSU-FoggyWeb-Backdoor-C2-Traffic |
Suspected Botnet |
HTTP Request Header Line
| Risk |
Vulnerability/Situation |
References |
Related Fingerprint |
Situation Type |
|
High |
Haproxy-HTTP-Header-Handling-Integer-Overflow-Vulnerability |
CVE-2021-40346 |
HTTP_CSH-Haproxy-HTTP-Header-Handling-Integer-Overflow-Vulnerability |
Suspected Attack Related Anomalies |
HTTP Normalized Request-Line
| Risk |
Vulnerability/Situation |
References |
Related Fingerprint |
Situation Type |
|
High |
Oracle-Business-Intelligence-Publisher-Updateconnectionservlet-JNDI-Injection |
CVE-2021-2396 |
HTTP_CRL-Oracle-Business-Intelligence-Publisher-Updateconnectionservlet-JNDI-Injection |
Suspected Compromise |
|
High |
Nagios-XI-Manage-My-Dashboards-Page-Stored-Cross-Site-Scripting |
CVE-2021-38156 |
HTTP_CRL-Nagios-XI-Manage-My-Dashboards-Page-Stored-Cross-Site-Scripting |
Suspected Compromise |
|
High |
Vcenter-Server-VSAN-Health-Check-RCE-CVE-2021-21985 |
CVE-2021-21985 |
HTTP_CRL-Vcenter-Server-VSAN-Health-Check-RCE-CVE-2021-21985 |
Suspected Compromise |
|
High |
Studio-42-elFinder-Elfindervolumedriver-Command-Injection |
CVE-2021-32682 |
HTTP_CRL-Studio-42-elFinder-Elfindervolumedriver-Command-Injection |
Suspected Compromise |
|
High |
Centreon-Graph-Split-Chartid-SQL-Injection |
No CVE/CAN |
HTTP_CRL-Centreon-Graph-Split-Chartid-SQL-Injection |
Suspected Compromise |
|
High |
Gitlab-Mermaid-Markdown-Stored-Cross-Site-Scripting |
CVE-2021-22242 |
HTTP_CRL-Gitlab-Mermaid-Markdown-Stored-Cross-Site-Scripting |
Suspected Compromise |
Text File Stream
| Risk |
Vulnerability/Situation |
References |
Related Fingerprint |
Situation Type |
|
High |
PAC-Resolver-Remote-Code-Execution |
CVE-2021-23406 |
File-Text_PAC-Resolver-Remote-Code-Execution |
Suspected Compromise |
Updated detected attacks:
HTTP Normalized Request-Line
| Risk |
Vulnerability/Situation |
References |
Related Fingerprint |
Situation Type |
Change Description |
|
High |
Drupal-Core-Form-Rendering-Remote-Code-Execution |
CVE-2018-7600 |
HTTP_CRL-Drupalgeddon2-Post-Parameter |
Suspected Compromise |
| Fingerprint regexp changed |
|
|
High |
Solarwinds-Network-Performance-Monitor-Fromjson-Insecure-Deserialization |
CVE-2021-31474 |
HTTP_CRL-Solarwinds-Network-Performance-Monitor-Fromjson-Insecure-Deserialization |
Suspected Compromise |
| Fingerprint regexp changed |
|
|
High |
Fortinet-Fortiweb-OS-Command-Injection |
CVE-2021-22123 |
HTTP_CRL-Fortinet-Fortiweb-OS-Command-Injection |
Suspected Compromise |
| Fingerprint regexp changed |
|
LIST OF OTHER CHANGES:
New objects:
| Type |
Name |
| Category |
Oracle OSS Support Tools |
| IPList |
Microsoft Azure service for MicrosoftAzureFluidRelay |
| Situation |
ECABinaryChecksumSHA256 3080194 |
| Situation |
ECABinaryChecksumSHA256 3080195 |
| Element Ref |
Application dependency from Dropbox-File-Upload to Google-Hosted-Libraries |
| Element Ref |
Application dependency from Dropbox-File-Upload to Google |
Updated objects:
| Type |
Name |
Changes |
| Situation |
URLList for Superfeedr |
| Detection mechanism updated |
|
| Situation |
URLList for Volt-CRM |
| Detection mechanism updated |
|
| Situation |
URLList for reQall |
| Detection mechanism updated |
|
| Situation |
URLList for Mimecast |
| Detection mechanism updated |
|
| Situation |
URLList for Panaya |
| Detection mechanism updated |
|
| Situation |
URLList for Plex-Online |
| Detection mechanism updated |
|
| Situation |
URLList for Accellion |
| Detection mechanism updated |
|
| Situation |
URLList for Verio-Hosted-Exchange |
| Detection mechanism updated |
|
| IPList |
TOR exit nodes IP Address List |
|
| IPList |
Amazon AMAZON |
|
| IPList |
Spotify |
|
| IPList |
Google Servers |
|
| IPList |
TOR relay nodes IP Address List |
|
| IPList |
Microsoft Azure datacenter for centralus |
|
| IPList |
Microsoft Azure datacenter for eastus2 |
|
| IPList |
Microsoft Azure datacenter for eastus |
|
| IPList |
Microsoft Azure datacenter for japaneast |
|
| IPList |
Microsoft Azure datacenter for southcentralus |
|
| IPList |
Microsoft Azure datacenter for southeastasia |
|
| IPList |
Microsoft Azure datacenter for westeurope |
|
| IPList |
Microsoft Azure datacenter for westus2 |
|
| IPList |
Microsoft Azure datacenter |
|
| IPList |
Botnet IP Address List |
|
| IPList |
Malicious Site IP Address List |
|
| IPList |
Amazon AMAZON ap-southeast-1 |
|
| IPList |
Microsoft Azure datacenter for germanywc |
|
| IPList |
Microsoft Azure datacenter for uaenorth |
|
| IPList |
Microsoft Azure service for AppService |
|
| IPList |
Microsoft Azure service for AppServiceManagement |
|
| IPList |
Microsoft Azure service for AzureCloud |
|
| IPList |
Microsoft Azure service for AzureMonitor |
|
| IPList |
Microsoft Azure service for Sql |
|
| IPList |
Microsoft Azure service for WindowsVirtualDesktop |
|
| IPList |
Microsoft Azure datacenter for qatarcentral |
|
| IPList |
Microsoft Azure datacenter for taiwannorthwest |
|
| Situation |
TLS_Connection-Not-Decrypted-For-Inspection |
|
| Application |
Microsoft-Windows-Push-Notification-Service |
| Application detection context content changed |
| Application Port "tcp/443 tls: mandatory" -> "tcp/443 tls: free" |
| TLS Match identification changed from true to false |
|
| Application |
Microsoft-Ajax-CDN |
| Application detection context content changed |
| Application Port "tcp/443 tls: mandatory" -> "tcp/443 tls: free" |
| TLS Match identification changed from true to false |
|
DISCLAIMER AND COPYRIGHT
Copyright © 2021 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.
All other trademarks used in this document are the property of their respective owners.
Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.