Release notes for update package 1554-5242

This update package improves the detection capabilities of the Forcepoint LLM system.

RELEASE DATE:     Wednesday February 08, 2023
MD5 CHECKSUM:     6d076796bae81ce5bdb197db8ef2722d
SHA1 CHECKSUM:     24b580dd96ca03f4882689d598137b3a56577005
SHA256 CHECKSUM:     d851d0800a3106258ebf5b2ea1572c060a4c0728e5d35578c75847ae18472c3f

UPDATE CRITICALITY:    HIGH

List of detected attacks in this update package:

Risk level Description Reference Vulnerability
High     An attempt to exploit a vulnerability in Lansweeper detected     CVE-2022-29517     Lansweeper-Helpdeskactions.aspx-Edittemplate-Directory-Traversal
High     An attempt to exploit a vulnerability in SolarWinds Network Performance Monitor detected.     CVE-2022-36958     Solarwinds-NPM-DeserializeFromStrippedXml-Insecure-Deserialization
High     An attempt to exploit a vulnerability in GoAnywhere MFT detected     CVE-2023-0669     GoAnywhere-MFT-Remote-Code-Execution-CVE-2023-0669
High     An attempt to exploit a vulnerability in ksmbd detected.     CVE-2022-47941     Linux-Kernel-Ksmbd-SMB2_Negotiate-Handling-Denial-Of-Service
High     An attempt to exploit a vulnerability in Adobe ColdFusion detected.     CVE-2022-35690     Adobe-ColdFusion-CVE-2022-35690-ODBC-Agent-Memory-Corruption
High     An attempt to exploit a vulnerability in SolarWinds Network Performance Monitor detected.     CVE-2022-38108     Solarwinds-NPM-BytesToMessage-Insecure-Deserialization
High     An attempt to exploit a vulnerability in Apache Software Foundation Fineract detected     CVE-2022-44635     Apache-Fineract-Imagesapiresource-Arbitrary-File-Upload
High     An attempt to exploit a vulnerability in Zabbix detected     CVE-2022-23131     Zabbix-Unsafe-Client-Side-Session-Storage-CVE-2022-23131

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

TCP SMB Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Linux-Kernel-Ksmbd-SMB2_Negotiate-Handling-Denial-Of-Service CVE-2022-47941 SMB-TCP_Linux-Kernel-Ksmbd-SMB2_Negotiate-Handling-Denial-Of-Service Suspected Denial of Service

TCP Client Stream Unknown

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Adobe-ColdFusion-CVE-2022-35690-ODBC-Agent-Memory-Corruption CVE-2022-35690 Generic_CS-Adobe-ColdFusion-CVE-2022-35690-ODBC-Agent-Memory-Corruption Suspected Compromise
High Solarwinds-NPM-BytesToMessage-Insecure-Deserialization CVE-2022-38108 Generic_CS-Solarwinds-NPM-BytesToMessage-Insecure-Deserialization Suspected Compromise

HTTP Request Header Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Apache-Fineract-Imagesapiresource-Arbitrary-File-Upload CVE-2022-44635 HTTP_CSH-Apache-Fineract-Imagesapiresource-Arbitrary-File-Upload Suspected Compromise
High Zabbix-Unsafe-Client-Side-Session-Storage-CVE-2022-23131 CVE-2022-23131 HTTP_CSH_Zabbix-Unsafe-Client-Side-Session-Storage-CVE-2022-23131 Suspected Compromise

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Lansweeper-Helpdeskactions.aspx-Edittemplate-Directory-Traversal CVE-2022-29517 HTTP_CRL-Lansweeper-Helpdeskactions.aspx-Edittemplate-Directory-Traversal Suspected Compromise
High Solarwinds-NPM-DeserializeFromStrippedXml-Insecure-Deserialization CVE-2022-36958 HTTP_CRL-Solarwinds-NPM-DeserializeFromStrippedXml-Insecure-Deserialization Suspected Compromise
High GoAnywhere-MFT-Remote-Code-Execution-CVE-2023-0669 CVE-2023-0669 HTTP_CRL-GoAnywhere-MFT-Remote-Code-Execution-CVE-2023-0669 Suspected Compromise

Updated detected attacks:

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High ElasticSearch-Dynamic-Scripting-Code-Execution CVE-2014-3120 HTTP_CRL_ElasticSearch-Dynamic-Scripting-Code-Execution Suspected Compromise
Fingerprint regexp changed
High ElasticSearch-Search-Groovy-Sandbox-Bypass CVE-2015-1427 HTTP_CRL-ElasticSearch-Search-Groovy-Sandbox-Bypass Suspected Compromise
Fingerprint regexp changed

LIST OF OTHER CHANGES:

New objects:

Type Name
Category GoAnywhere MFT
Category Apache Software Foundation Fineract

Updated objects:

Type Name Changes
IPList TOR exit nodes IP Address List
IPList Amazon AMAZON
IPList TOR relay nodes IP Address List
IPList Zscaler IP Address List
IPList Botnet IP Address List
IPList Malicious Site IP Address List
IPList Amazon AMAZON ap-southeast-1
IPList NordVPN Servers IP Address List
IPList Amazon AMAZON eu-central-1
IPList Google Cloud IP Address List for asia-northeast3
IPList Google Cloud IP Address List for us-south1
Situation HTTP_CSU-Shared-Variables
Situation HTTP_CSH-Shared-Variables
Fingerprint regexp changed
Situation Generic_MSRPC-CA-Products-Message-Engine-RPC-Server-Buffer-Overflow
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware x86 removed
Category tag application Computer Associates Business Protection Suite 2 removed
Category tag application Computer Associates Server Protection Suite 2 removed
Category tag application Computer Associates BrightStor removed
Category tag group CVE2006 removed
Category tag os_not_specific Windows not specific removed
Category tag application_not_specific Computer Associates BrightStor not specific removed
Category tag situation Suspected Compromise removed
Category tag group TCP Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation Generic_CA-BrightStor-Arcserve-Backup-Tape-Engine-RPC-GetGroupStatus-BOF
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application Computer Associates BrightStor removed
Category tag group CVE2006 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag application_not_specific Computer Associates BrightStor not specific removed
Category tag situation Potential Compromise removed
Category tag group TCP Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation Generic_CA-BrightStor-Arcserve-Backup-Tape-Engine-RPC-ReserveGroup-BOF
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application Computer Associates BrightStor removed
Category tag group CVE2006 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag application_not_specific Computer Associates BrightStor not specific removed
Category tag situation Potential Compromise removed
Category tag group TCP Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation Generic_CA-BrightStor-Arcserve-Backup-Message-Engine-Buffer-Overflow
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application Computer Associates BrightStor removed
Category tag group CVE2007 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag application_not_specific Computer Associates BrightStor not specific removed
Category tag situation Potential Compromise removed
Category tag group TCP Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation Generic_CA-BrightStor-Arcserve-Backup-Message-Engine-Opcode-117-BOF
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application Computer Associates BrightStor removed
Category tag group CVE2007 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag application_not_specific Computer Associates BrightStor not specific removed
Category tag situation Potential Compromise removed
Category tag group TCP Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation Generic_CA-BrightStor-Arcserve-Backup-Tape-Engine-RPC-Buffer-Overflow
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware x86 removed
Category tag application Computer Associates Business Protection Suite 2 removed
Category tag application Computer Associates Server Protection Suite 2 removed
Category tag application Computer Associates BrightStor removed
Category tag group CVE2007 removed
Category tag os_not_specific Windows not specific removed
Category tag application_not_specific Computer Associates BrightStor not specific removed
Category tag situation Potential Compromise removed
Category tag group TCP Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation Generic_CA-BrightStor-Arcserve-Backup-Tape-Engine-RPC-Call-Memory-Corruption
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application Computer Associates BrightStor ARCserve Backup for Laptops and Desktops removed
Category tag group CVE2007 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Potential Compromise removed
Category tag group TCP Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation Generic_CS-CA-BrightStor-Backup-Agent-RPC-Server-Connection-Id-Buffer-Overflow
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware x86 removed
Category tag application Computer Associates BrightStor removed
Category tag group CVE2007 removed
Category tag os_not_specific Windows not specific removed
Category tag application_not_specific Computer Associates BrightStor not specific removed
Category tag situation Potential Compromise removed
Category tag group TCP Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation Generic_CS-Shared-Variable-Fingerprints
Fingerprint regexp changed
Situation Generic_CA-BrightStor-Backup-Message-Engine-Opcode-269-Buffer-Overflow
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware Any Hardware removed
Category tag application Computer Associates BrightStor removed
Category tag group CVE2007 removed
Category tag os_not_specific Windows not specific removed
Category tag application_not_specific Computer Associates BrightStor not specific removed
Category tag situation Potential Compromise removed
Category tag group TCP Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation Generic_CA-BrightStor-Backup-Tape-Engine-Message-Vsprintf-Log-Buffer-Overflow
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware Any Hardware removed
Category tag application Computer Associates BrightStor removed
Category tag group CVE2007 removed
Category tag os_not_specific Windows not specific removed
Category tag application_not_specific Computer Associates BrightStor not specific removed
Category tag situation Potential Compromise removed
Category tag group TCP Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation Generic_CA-BrightStor-Backup-Tape-Engine-Opcode-191-Function-Access
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware Any Hardware removed
Category tag application Computer Associates BrightStor removed
Category tag group CVE2007 removed
Category tag os_not_specific Windows not specific removed
Category tag application_not_specific Computer Associates BrightStor not specific removed
Category tag situation Potential Compromise removed
Category tag group TCP Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation Generic_CA-Arcserve-Backup-Db-Engine-Denial-Of-Service
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware Any Hardware removed
Category tag application Computer Associates BrightStor ARCserve Backup for Laptops and Desktops removed
Category tag group CVE2008 removed
Category tag os_not_specific Windows not specific removed
Category tag situation Potential Denial of Service removed
Category tag group TCP Client Traffic removed
Situation Generic_CA-Arcserve-Backup-Tape-Engine-Denial-Of-Service
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware Any Hardware removed
Category tag application Computer Associates BrightStor ARCserve Backup for Laptops and Desktops removed
Category tag group CVE2008 removed
Category tag os_not_specific Windows not specific removed
Category tag situation Potential Denial of Service removed
Category tag group TCP Client Traffic removed

DISCLAIMER AND COPYRIGHT

Copyright © 2023 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.