Release notes for update package 1602-5242

This update package improves the detection capabilities of the Forcepoint LLM system.

RELEASE DATE:     Tuesday June 20, 2023
MD5 CHECKSUM:     4640219b9a6edaa4eb9bc180fd9f7d70
SHA1 CHECKSUM:     d676ea7f610e3827009907c7dd24d10acbee85ed
SHA256 CHECKSUM:     495c5c69a178da1836e049d904e7885fbfccce4512a638227a087309d8d39ee4

UPDATE CRITICALITY:    HIGH

List of detected attacks in this update package:

Risk level Description Reference Vulnerability
High     An attempt to exploit a vulnerability in VMware Aria Operations for Networks detected     CVE-2023-20887     VMware-Aria-Operations-For-Networks-Command-Injection-CVE-2023-20887
High     An attempt to exploit a vulnerability in Progress Software MOVEit Transfer detected     CVE-2023-35036     Progress-MOVEit-Transfer-Silcerttouser-SQL-Injection

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Request Header Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Progress-MOVEit-Transfer-Silcerttouser-SQL-Injection CVE-2023-35036 HTTP_CSH-Progress-MOVEit-Transfer-Silcerttouser-SQL-Injection Suspected Compromise

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High VMware-Aria-Operations-For-Networks-Command-Injection-CVE-2023-20887 CVE-2023-20887 HTTP_CRL-VMware-Aria-Operations-For-Networks-Command-Injection-CVE-2023-20887 Suspected Compromise

Updated detected attacks:

TCP Client Stream Unknown

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Windows-Network-File-System-Remote-Code-Execution-Vulnerability-CVE-2023-24941 CVE-2023-24941 Generic_CS-Windows-Network-File-System-Remote-Code-Execution-Vulnerability-CVE-2023-24941 Suspected Compromise
Detection mechanism updated

LIST OF OTHER CHANGES:

New objects:

Type Name
Category VMware Aria Operations for Networks
Situation FW_Probe
Application LinkedIn CDN
Application LinkedIn Learning
Element Ref Application dependency from LinkedIn to LinkedIn CDN
Element Ref Application dependency from LinkedIn Learning to LinkedIn CDN

Updated objects:

Type Name Changes
IPList Yemen
IPList Iraq
IPList Saudi Arabia
IPList Iran
IPList Cyprus
IPList Syria
IPList Armenia
IPList Kenya
IPList DR Congo
IPList Seychelles
IPList Jordan
IPList Lebanon
IPList Kuwait
IPList Oman
IPList Qatar
IPList Bahrain
IPList United Arab Emirates
IPList Israel
IPList Turkey
IPList Ethiopia
IPList Egypt
IPList Estonia
IPList Latvia
IPList Azerbaijan
IPList Lithuania
IPList Georgia
IPList Moldova
IPList Belarus
IPList Finland
IPList Ukraine
IPList North Macedonia
IPList Hungary
IPList Bulgaria
IPList Albania
IPList Poland
IPList Romania
IPList Mauritius
IPList South Africa
IPList Pakistan
IPList Bangladesh
IPList Sri Lanka
IPList Bhutan
IPList India
IPList Maldives
IPList Nepal
IPList Myanmar
IPList Uzbekistan
IPList Kazakhstan
IPList Vietnam
IPList Thailand
IPList Indonesia
IPList Laos
IPList Taiwan
IPList Philippines
IPList Malaysia
IPList China
IPList Hong Kong
IPList Brunei
IPList Macao
IPList Cambodia
IPList South Korea
IPList Japan
IPList North Korea
IPList Singapore
IPList Timor-Leste
IPList Russia
IPList Mongolia
IPList Australia
IPList Papua New Guinea
IPList New Zealand
IPList Fiji
IPList Portugal
IPList Liberia
IPList Ivory Coast
IPList Ghana
IPList Nigeria
IPList Gibraltar
IPList Tunisia
IPList Spain
IPList Morocco
IPList Malta
IPList Algeria
IPList Denmark
IPList Iceland
IPList United Kingdom
IPList Switzerland
IPList Sweden
IPList Netherlands
IPList Austria
IPList Belgium
IPList Germany
IPList Luxembourg
IPList Ireland
IPList Monaco
IPList France
IPList Andorra
IPList Liechtenstein
IPList Jersey
IPList Slovakia
IPList Czechia
IPList Norway
IPList San Marino
IPList Italy
IPList Slovenia
IPList Montenegro
IPList Croatia
IPList Bosnia and Herzegovina
IPList Angola
IPList Barbados
IPList Guyana
IPList French Guiana
IPList Suriname
IPList Greenland
IPList Paraguay
IPList Uruguay
IPList Brazil
IPList Jamaica
IPList Dominican Republic
IPList Bahamas
IPList Bermuda
IPList Anguilla
IPList Trinidad and Tobago
IPList St Kitts and Nevis
IPList Aruba
IPList British Virgin Islands
IPList Cayman Islands
IPList Belize
IPList El Salvador
IPList Guatemala
IPList Honduras
IPList Nicaragua
IPList Venezuela
IPList Ecuador
IPList Colombia
IPList Haiti
IPList Argentina
IPList Chile
IPList Bolivia
IPList Peru
IPList Mexico
IPList French Polynesia
IPList Puerto Rico
IPList U.S. Virgin Islands
IPList Canada
IPList United States
IPList Serbia
IPList Antarctica
IPList Curaçao
IPList TOR exit nodes IP Address List
IPList Amazon AMAZON
IPList Amazon EC2
IPList Facebook Servers
IPList TOR relay nodes IP Address List
IPList Amazon GLOBALACCELERATOR
IPList Amazon AMAZON ap-east-1
IPList Amazon AMAZON ap-south-2
IPList Amazon EC2 ap-south-2
IPList Amazon AMAZON ap-northeast-1
IPList Amazon AMAZON eu-south-2
IPList Amazon AMAZON eu-central-2
IPList Amazon AMAZON il-central-1
IPList Amazon AMAZON ap-northeast-2
IPList Amazon AMAZON ap-northeast-3
IPList Botnet IP Address List
IPList Malicious Site IP Address List
IPList Amazon GLOBALACCELERATOR ap-northeast-3
IPList Amazon AMAZON ap-southeast-1
IPList NordVPN Servers IP Address List
IPList Amazon AMAZON ap-southeast-2
IPList Amazon AMAZON ca-central-1
IPList Amazon AMAZON cn-north-1
IPList Amazon AMAZON eu-central-1
IPList Amazon AMAZON eu-north-1
IPList Amazon AMAZON eu-west-1
IPList Amazon AMAZON eu-west-2
IPList Amazon AMAZON sa-east-1
IPList Amazon AMAZON us-east-1
IPList Amazon EC2 us-east-1
IPList Amazon AMAZON us-west-1
IPList Amazon AMAZON eu-south-1
IPList Amazon AMAZON ap-southeast-3
IPList Amazon EC2 ap-southeast-3
IPList Amazon AMAZON ap-southeast-4
Situation HTTP_CSU-InterScan-VirusWall-Ftpsave-DLL-Access
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Windows NT removed
Category tag hardware Any Hardware removed
Category tag application InterScan VirusWall removed
Category tag group CVE2001 removed
Category tag os_not_specific Windows NT not specific removed
Category tag situation Potential Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation HTTP_CSU-InterScan-VirusWall-Ftpsavecsp-DLL-Access
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Windows NT removed
Category tag hardware Any Hardware removed
Category tag application InterScan VirusWall removed
Category tag group CVE2001 removed
Category tag os_not_specific Windows NT not specific removed
Category tag situation Potential Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation HTTP_CSU-InterScan-VirusWall-Ftpsavecvp-DLL-Access
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Windows NT removed
Category tag hardware Any Hardware removed
Category tag application InterScan VirusWall removed
Category tag group CVE2001 removed
Category tag os_not_specific Windows NT not specific removed
Category tag situation Potential Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation HTTP_CSU-IIS-Showcode-Sample
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware Any Hardware removed
Category tag application IIS 4.0 removed
Category tag group MS1999 removed
Category tag group CVE1999 removed
Category tag os_not_specific Windows not specific removed
Category tag situation Potential Disclosure removed
Category tag group TCP Client Traffic removed
Situation HTTP_CSU-IIS-Msdac-DLL
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware Any Hardware removed
Category tag application IIS 4.0 removed
Category tag application IIS 3.0 removed
Category tag group MS1998 removed
Category tag group MS1999 removed
Category tag group CVE1999 removed
Category tag os_not_specific Windows not specific removed
Category tag situation Potential Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation HTTP_CSU-InterScan-VirusWall-Directory-Traversal
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware Any Hardware removed
Category tag application InterScan VirusWall removed
Category tag os_not_specific Windows not specific removed
Category tag situation Suspected Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation HTTP_CSU-Oracle-HTTP-Application-Server-10g-Emagent.exe-Stack-Buffer-Overflow
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application Oracle Application Server 10g removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Potential Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation HTTP_CSU-Shared-Variables
Situation HTTP_CSU-NetCode-Book-Cgi
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application NetCode NC Book removed
Category tag group CVE2001 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Potential Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation HTTP_CSU-Microsoft-IIS-Ism.dll-File-Disclosure
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware Any Hardware removed
Category tag application IIS 4.0 removed
Category tag group MS2000 removed
Category tag group CVE2000 removed
Category tag os_not_specific Windows not specific removed
Category tag situation Potential Disclosure removed
Category tag group TCP Client Traffic removed
Situation HTTP_CSU-IIS3-Newdsn.exe-Access
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware Any Hardware removed
Category tag application IIS 3.0 removed
Category tag group CVE1999 removed
Category tag os_not_specific Windows not specific removed
Category tag situation Potential Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation HTTP_CSU-IIS-Htr-Buffer-Overflow-2
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware Any Hardware removed
Category tag application IIS 4.0 removed
Category tag group MS1999 removed
Category tag group CVE1999 removed
Category tag os_not_specific Windows not specific removed
Category tag situation Potential Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation HTTP_CSU-IIS-ShellCode-Htr-Buffer-Overflow
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware Any Hardware removed
Category tag application IIS 4.0 removed
Category tag group MS1999 removed
Category tag group CVE1999 removed
Category tag os_not_specific Windows not specific removed
Category tag situation Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation HTTP_CSU-IIS-Active-Data-Streams-Source-Code-Disclosure
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware Any Hardware removed
Category tag application IIS 4.0 removed
Category tag application IIS 1.0 removed
Category tag application IIS 2.0 removed
Category tag application IIS 3.0 removed
Category tag group MS1998 removed
Category tag group CVE1999 removed
Category tag os_not_specific Windows not specific removed
Category tag situation Potential Disclosure removed
Category tag group TCP Client Traffic removed
Situation HTTP_CSU-Arbitroweb-Rawurl-Cross-Site
Description has changed
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application Arbitroweb removed
Category tag group CVE2004 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Potential Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation HTTP_CSU-IIS-Bat-Remote-Command-Execution
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware Any Hardware removed
Category tag application IIS 1.0 removed
Category tag group CVE1999 removed
Category tag os_not_specific Windows not specific removed
Category tag situation Potential Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation HTTP_CSU-Bdir-Htr-Information-Disclosure
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware Any Hardware removed
Category tag application IIS 4.0 removed
Category tag os_not_specific Windows not specific removed
Category tag situation Disclosure removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation HTTP_CSU-Imall-Commerce-Script-System-Compromise
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application I-Mall Commerce removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Potential Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation HTTP_CSU-MS-Office-Xp-Url-BOF-MS05-005
Description has changed
Attacker: connection_destination->none
Victim: connection_source->none
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware Any Hardware removed
Category tag application Microsoft Office XP removed
Category tag group MS2005-02 removed
Category tag group CVE2004 removed
Category tag os_not_specific Windows not specific removed
Category tag situation Potential Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Application QUIC
Application detection context content changed

DISCLAIMER AND COPYRIGHT

Copyright © 2023 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.