Release notes for update package 1528-5242

This update package improves the detection capabilities of the Forcepoint LLM system.

RELEASE DATE:     Monday November 21, 2022
MD5 CHECKSUM:     efa43324f51e077318fdaa090eba1e4b
SHA1 CHECKSUM:     21293089986354cb3a30d748eab5d2d1e667420a
SHA256 CHECKSUM:     6bc4910c3ce31123bea148331979d0f55e5da084fedfba08961714002826577e

UPDATE CRITICALITY:    HIGH

List of detected attacks in this update package:

Risk level Description Reference Vulnerability
High     An attempt to exploit a vulnerability in GLPI-Project GLPI detected     CVE-2022-39323     GLPI-Rest-API-User_Token-SQL-Injection
High     An XMRig cryptocoin miner     No CVE/CAN Coinminer-Trojan-Traffic
High     An attempt to exploit a vulnerability in Delta Electronics DIAEnergie detected     CVE-2022-43774     Delta-Industrial-Automation-Diaenergie-Handlerpagep_Kid-SQL-Injection

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High GLPI-Rest-API-User_Token-SQL-Injection CVE-2022-39323 HTTP_CS-GLPI-Rest-API-User_Token-SQL-Injection Suspected Compromise

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Delta-Industrial-Automation-Diaenergie-Handlerpagep_Kid-SQL-Injection CVE-2022-43774 HTTP_CRL-Delta-Industrial-Automation-Diaenergie-Handlerpagep_Kid-SQL-Injection Suspected Compromise

Text File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Coinminer-Trojan-Traffic No CVE/CAN File-Text_Coinminer-Trojan-Traffic Potential Compromise

Updated detected attacks:

HTTP Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Quest-NetVault-Backup-Multipart-Request-Checksession-Authentication-Bypass CVE-2018-1163 HTTP_CS-Quest-NetVault-Backup-Multipart-Request-Checksession-Authentication-Bypass Suspected Compromise
Fingerprint regexp changed

TCP MSRPC Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Advantech-WebAccess-SCADA-Bwthinfl-Stack-Based-Buffer-Overflow CVE-2019-6550 MSRPC-TCP_Advantech-WebAccess-SCADA-Bwthinfl-Stack-Based-Buffer-Overflow Suspected Compromise
Fingerprint regexp changed

TCP Client Stream Unknown

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High HP-Lefthand-Virtual-SAN-Appliance-Hydra-SNMP-Processing-Buffer-Overflow CVE-2012-3284 Generic_CS-HP-Lefthand-Virtual-SAN-Appliance-Hydra-SNMP-Processing-BOF Suspected Compromise
Fingerprint regexp changed
High HP-Data-Protector-Crs-Opcode-260-Stack-Buffer-Overflow CVE-2013-2332 Generic_CS-HP-Data-Protector-Crs-Opcode-260-Stack-Buffer-Overflow Potential Compromise
Detection mechanism updated

HTTP Request Header Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High PHP-HTTP-Multipart-Form-Data-Denial-Of-Service CVE-2015-4024 HTTP_CSH-PHP-HTTP-Multipart-Form-Data-Denial-Of-Service Suspected Compromise
Name: HTTP_CS-PHP-HTTP-Multipart-Form-Data-Denial-Of-Service->HTTP_CSH-PHP-HTTP-Multipart-Form-Data-Denial-Of-Service
Context has changed from HTTP Client Stream to HTTP Request Header Line
Low Apache-HTTP-Server-Mod-Cache-Module-Denial-Of-Service CVE-2007-1863 HTTP_CSH-Apache-HTTP-Server-Mod-Cache-Module-Denial-Of-Service Potential Denial of Service
Fingerprint regexp changed
High Apache-Struts-2-Cookieinterceptor-OGNL-Script-Injection CVE-2012-0392 HTTP_CSH-Apache-Struts-2-Cookieinterceptor-OGNL-Script-Injection Potential Compromise
Detection mechanism updated
High Asterisk-Management-Interface-HTTP-Digest-Authentication-Stack-Buffer-Overflow No CVE/CAN HTTP_CSH-Asterisk-Management-Interface-Digest-Authentication-Stack-BOF Suspected Compromise
Fingerprint regexp changed
High Windows-HTTP.sys-DOS-Vulnerability-CVE-2013-1305 CVE-2013-1305 HTTP_CSH-Windows-HTTP.sys-DOS-Vulnerability-CVE-2013-1305 Suspected Compromise
Detection mechanism updated
High Apache-Tomcat-Large-Chunked-Transfer-Denial-Of-Service CVE-2013-4322 HTTP_CSH-Apache-Tomcat-Large-Chunked-Transfer-Denial-Of-Service Suspected Compromise
Fingerprint regexp changed
High Oracle-Web-Cache-Unspecified-Client-Request-Handling CVE-2004-0385 HTTP_CSH-Oracle-Web-Cache-Unspecified-Client-Request-Handling-1 Suspected Compromise
Fingerprint regexp changed
High Microsoft-OWA-XSS-Vulnerability-CVE-2015-1628 CVE-2015-1628 HTTP_CSH-Microsoft-OWA-XSS-Vulnerability-CVE-2015-1628 Potential Compromise
Detection mechanism updated
High Generic-HTTP-Exploit No CVE/CAN HTTP_CHS-Suspicious-Host Suspected Compromise
Detection mechanism updated
High Ruby-WEBrick-Denial-Of-Service CVE-2008-3656 HTTP_CSH-Ruby-WEBrick-Denial-Of-Service Suspected Denial of Service
Detection mechanism updated
High Squid-HTTP-Response-Processing-Denial-Of-Service CVE-2016-3948 HTTP_CSH-Squid-HTTP-Response-Processing-Denial-Of-Service Suspected Compromise
Fingerprint regexp changed
High Locky-B-Control-Traffic No CVE/CAN HTTP_CSH-Locky-B-Control-Traffic Botnet
Fingerprint regexp changed
High Emotet-Banking-Malware No CVE/CAN HTTP_CHS-Emotet-Host-In-HTTP Suspected Compromise
Fingerprint regexp changed
High Advantech-WebAccess-Scada-Certupdate.asp-Filename-Directory-Traversal CVE-2018-5445 HTTP_CSH-Advantech-WebAccess-Scada-Certupdate.asp-Filename-Directory-Traversal Suspected Compromise
Fingerprint regexp changed
High ISR-Stealer-C2-Traffic No CVE/CAN HTTP_CSH-ISR-Stealer-C2-Traffic Botnet
Fingerprint regexp changed
High D-Link-HNAP-SOAPAction-Header-Command-Execution CVE-2015-2051 HTTP_CSH-D-Link-HNAP-SOAPAction-Header-Command-Execution Suspected Compromise
Fingerprint regexp changed
High Apache-Tika-Server-Command-Injection-Vulnerability CVE-2018-1335 HTTP_CSH-Apache-Tika-Server-Command-Injection-Vulnerability Suspected Compromise
Fingerprint regexp changed
High Ruby-On-Rails-File-Content-Disclosure CVE-2019-5418 HTTP_CRH-Ruby-On-Rails-File-Content-Disclosure Suspected Compromise
Fingerprint regexp changed
High Cisco-Elastic-Services-Controller-Rest-API-Authentication-Bypass CVE-2019-1867 HTTP_CRH-Cisco-Elastic-Services-Controller-Rest-API-Authentication-Bypass Suspected Compromise
Detection mechanism updated
High Citrix-Path-Traversal-CVE-2019-19781 CVE-2019-19781 HTTP_CRH-Citrix-Path-Traversal-CVE-2019-19781 Suspected Compromise
Fingerprint regexp changed
High Pivotal-RabbitMQ-X-reason-HTTP-Header-Denial-Of-Service CVE-2019-11287 HTTP_CSH-Pivotal-RabbitMQ-X-reason-HTTP-Header-Denial-Of-Service Suspected Compromise
Fingerprint regexp changed
High Trend-Micro-Apex-One-And-OfficeScan-Directory-Traversal CVE-2020-8599 HTTP_CRH-Trend-Micro-Apex-One-And-OfficeScan-Directory-Traversal Suspected Compromise
Fingerprint regexp changed
High Phishing-Related-URL No CVE/CAN HTTP_CSH-Phishing-URL-Accessed Suspected Compromise
Fingerprint regexp changed
High Microsoft-IIS-HTTP-Protocol-Stack-Remote-Code-Execution CVE-2021-31166 HTTP_CRH-Microsoft-IIS-HTTP-Protocol-Stack-Remote-Code-Execution Suspected Compromise
Detection mechanism updated
High Apache-Pulsar-JSON-Web-Token-Authentication-Bypass CVE-2021-22160 HTTP_CSH-Apache-Pulsar-JSON-Web-Token-Authentication-Bypass Suspected Compromise
Fingerprint regexp changed
High DotNetNuke-Cookie-Deserialization-RCE CVE-2017-9822 HTTP_CSH-DotNetNuke-Cookie-Deserialization-RCE Suspected Compromise
Detection mechanism updated
High Redline-Password-Stealer-Infection-Traffic No CVE/CAN HTTP_CSH-Redline-Password-Stealer-Infection-Traffic Suspected Botnet
Fingerprint regexp changed
High Realtek-SDK-UPnP-Callback-Stack-Buffer-Overflow-CVE-2021-35392 CVE-2021-35392 HTTP_CSH-Realtek-SDK-UPnP-Callback-Stack-Buffer-Overflow-CVE-2021-35392 Suspected Compromise
Fingerprint regexp changed
High Microsoft-Exchange-SSRF-CVE-2021-34473 CVE-2021-34473 HTTP_CRH-Microsoft-Exchange-SSRF-CVE-2021-34473 Suspected Compromise
Detection mechanism updated
High Lighttpd-Mod_Extforward-Plugin-Mod_extforward_Forwarded-Denial-Of-Service CVE-2022-22707 HTTP_CSH-Lighttpd-Mod_Extforward-Plugin-Mod_extforward_Forwarded-Denial-Of-Service Suspected Compromise
Fingerprint regexp changed
High Cisco-Small-Business-RV-Series-Authentication-Bypass-And-Command-Injection CVE-2021-1473 HTTP_CSH-Cisco-Small-Business-RV-Series-Authentication-Bypass-And-Command-Injection Suspected Compromise
Fingerprint regexp changed
High Spring-Cloud-Function-Spel-Code-Injection-CVE-2022-22963 CVE-2022-22963 HTTP_CSH-Spring-Cloud-Function-Spel-Code-Injection-CVE-2022-22963 Suspected Compromise
Fingerprint regexp changed
High Citrix-NetScaler-SD-WAN-CGISESSID-Command-Execution-CVE-2017-6316 CVE-2017-6316 HTTP_CSH-Citrix-NetScaler-SD-WAN-CGISESSID-Command-Execution-CVE-2017-6316 Suspected Compromise
Fingerprint regexp changed
High FortiOS-Authentication-Bypass-CVE-2022-40684 CVE-2022-40684 HTTP_CSH-FortiOS-Authentication-Bypass-CVE-2022-40684 Suspected Compromise
Fingerprint regexp changed

Text File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Suspicious-Jsp-File-Upload No CVE/CAN File-Text_Suspicious-Jsp-File-Upload Suspected Compromise
Description has changed
Fingerprint regexp changed

Identified Text File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Wecon-Levistudio-PLC-Type-Heap-Buffer-Overflow No CVE/CAN File-TextId_Wecon-Levistudio-PLC-Type-Heap-Buffer-Overflow Suspected Compromise
Fingerprint regexp changed

LIST OF OTHER CHANGES:

New objects:

Type Name
Appliance Information sg-352-0-C1.svg
Appliance Information sg-355-0-C1.svg
Report VPN Clients (Counters)

Updated objects:

Type Name Changes
IPList Rwanda
IPList Iraq
IPList Saudi Arabia
IPList Iran
IPList Cyprus
IPList Armenia
IPList Djibouti
IPList Seychelles
IPList Jordan
IPList Oman
IPList Bahrain
IPList United Arab Emirates
IPList Israel
IPList Turkey
IPList Eritrea
IPList Greece
IPList Estonia
IPList Latvia
IPList Azerbaijan
IPList Lithuania
IPList Georgia
IPList Moldova
IPList Belarus
IPList Finland
IPList Åland Islands
IPList Ukraine
IPList North Macedonia
IPList Hungary
IPList Bulgaria
IPList Albania
IPList Poland
IPList Romania
IPList Kosovo
IPList Mauritius
IPList Eswatini
IPList South Africa
IPList Madagascar
IPList Afghanistan
IPList Bangladesh
IPList India
IPList Nepal
IPList Uzbekistan
IPList Kazakhstan
IPList Kyrgyzstan
IPList Vietnam
IPList Thailand
IPList Indonesia
IPList Taiwan
IPList Philippines
IPList Malaysia
IPList China
IPList Hong Kong
IPList Cambodia
IPList South Korea
IPList Japan
IPList Singapore
IPList Russia
IPList Mongolia
IPList Australia
IPList Libya
IPList Congo Republic
IPList Portugal
IPList Nigeria
IPList Chad
IPList Spain
IPList Algeria
IPList Denmark
IPList Iceland
IPList United Kingdom
IPList Switzerland
IPList Sweden
IPList Netherlands
IPList Austria
IPList Belgium
IPList Germany
IPList Luxembourg
IPList Ireland
IPList France
IPList Slovakia
IPList Czechia
IPList Norway
IPList Italy
IPList Slovenia
IPList Montenegro
IPList Croatia
IPList Angola
IPList Cabo Verde
IPList French Guiana
IPList Brazil
IPList Dominican Republic
IPList British Virgin Islands
IPList Cayman Islands
IPList Belize
IPList Honduras
IPList Costa Rica
IPList Venezuela
IPList Ecuador
IPList Colombia
IPList Panama
IPList Argentina
IPList Peru
IPList Mexico
IPList Puerto Rico
IPList U.S. Virgin Islands
IPList Canada
IPList United States
IPList Palestine
IPList Serbia
IPList TOR exit nodes IP Address List
IPList Amazon AMAZON
IPList Amazon S3
IPList Amazon EC2
IPList Google Servers
IPList TOR relay nodes IP Address List
IPList Microsoft Azure datacenter for centraluseuap
IPList Microsoft Azure datacenter for centralus
IPList Microsoft Azure datacenter for eastus2euap
IPList Microsoft Azure datacenter for eastus2
IPList Netflix Servers
IPList Microsoft Azure datacenter for westeurope
IPList Microsoft Azure datacenter
IPList Amazon AMAZON af-south-1
IPList Amazon EC2 af-south-1
IPList Code42 Servers IP Address List
IPList Amazon AMAZON ap-east-1
IPList Amazon EC2 ap-east-1
IPList Amazon AMAZON ap-south-2
IPList Amazon EC2 ap-south-2
IPList Amazon AMAZON ap-northeast-1
IPList Amazon EC2 me-central-1
IPList Amazon AMAZON me-central-1
IPList Amazon EC2 ap-northeast-1
IPList Amazon AMAZON eu-south-2
IPList Amazon EC2 eu-south-2
IPList Amazon AMAZON eu-central-2
IPList Amazon EC2 eu-central-2
IPList Amazon AMAZON il-central-1
IPList Amazon AMAZON ap-northeast-2
IPList Amazon EC2 ap-northeast-2
IPList Amazon EC2 il-central-1
IPList Okta IP Address List
IPList Amazon AMAZON ap-northeast-3
IPList Amazon S3 ap-northeast-3
IPList Amazon EC2 ap-northeast-3
IPList Botnet IP Address List
IPList Malicious Site IP Address List
IPList Amazon AMAZON ap-south-1
IPList Amazon EC2 ap-south-1
IPList Amazon AMAZON ap-southeast-1
IPList Amazon EC2 ap-southeast-1
IPList Amazon AMAZON ap-southeast-2
IPList Amazon EC2 ap-southeast-2
IPList Amazon AMAZON ca-central-1
IPList Amazon EC2 ca-central-1
IPList Amazon AMAZON eu-central-1
IPList Amazon S3 eu-central-1
IPList Amazon EC2 eu-central-1
IPList Amazon AMAZON eu-north-1
IPList Amazon EC2 eu-north-1
IPList Amazon AMAZON eu-west-1
IPList Amazon EC2 eu-west-1
IPList Amazon AMAZON eu-west-2
IPList Amazon EC2 eu-west-2
IPList Amazon AMAZON eu-west-3
IPList Amazon S3 eu-west-3
IPList Amazon EC2 eu-west-3
IPList Amazon AMAZON me-south-1
IPList Amazon EC2 me-south-1
IPList Amazon AMAZON sa-east-1
IPList Amazon EC2 sa-east-1
IPList Amazon AMAZON us-east-1
IPList Amazon EC2 us-east-1
IPList Amazon AMAZON us-east-2
IPList Amazon S3 us-east-2
IPList Amazon EC2 us-east-2
IPList Amazon AMAZON us-gov-east-1
IPList Amazon EC2 us-gov-east-1
IPList Amazon AMAZON us-gov-west-1
IPList Amazon EC2 us-gov-west-1
IPList Amazon AMAZON us-west-1
IPList Amazon S3 us-west-1
IPList Amazon EC2 us-west-1
IPList Amazon AMAZON us-west-2
IPList Amazon EC2 us-west-2
IPList Amazon AMAZON eu-south-1
IPList Amazon EC2 eu-south-1
IPList Amazon AMAZON ap-southeast-3
IPList Amazon EC2 ap-southeast-3
IPList Microsoft Azure datacenter for germanywc
IPList Microsoft Azure service for AzureBackup
IPList Microsoft Azure service for AzureCloud
IPList Microsoft Azure service for AzureResourceManager
IPList Microsoft Azure service for AzureSiteRecovery
IPList Microsoft Azure service for GuestAndHybridManagement
IPList Microsoft Azure service for Sql
IPList Microsoft Azure service for EOPExternalPublishedIPs
IPList Microsoft Azure datacenter for qatarcentral
IPList Amazon S3 ap-southeast-4
IPList Amazon EC2 ap-southeast-4
IPList Amazon AMAZON ap-southeast-4
IPList Microsoft Azure datacenter for malaysiawest
IPList Microsoft Azure service for AzureStack
Situation Analyzer_Executable-Upload-After-Potential-Compromise
Category tag situation Suspected Attack Related Anomalies added
Category tag situation Attack Related Anomalies removed
Situation HTTP_CSH-Shared-Variables
Fingerprint regexp changed
Situation HTTP_CSH-Overly-Long-Folded-Request-Header
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os HP-UX removed
Category tag os OS X removed
Category tag os Linux removed
Category tag hardware Any Hardware removed
Category tag application Apache2 removed
Category tag group CVE2004 removed
Category tag os_not_specific HP-UX not specific removed
Category tag os_not_specific OS X not specific removed
Category tag os_not_specific Linux not specific removed
Category tag situation Suspected Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation HTTP_CRL-Shared-Variables
Fingerprint regexp changed
Situation FTP_CS-Non-FTP-Protocol-Seen-In-FTP-Port
Fingerprint regexp changed
Global Settings GTI Global Settings

DISCLAIMER AND COPYRIGHT

Copyright © 2022 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.