Release notes for update package 1605-5242

This update package improves the detection capabilities of the Forcepoint LLM system.

RELEASE DATE:     Thursday June 29, 2023
MD5 CHECKSUM:     fd96b962addfbd95fa82cd51184d247e
SHA1 CHECKSUM:     e9ff767758f24f65fb9c61de17b0a019beb3dbe6
SHA256 CHECKSUM:     84ed10951116421089f30d2077b00c4555f18139c110d890dc4f0b3c3e010b54

UPDATE CRITICALITY:    HIGH

List of detected attacks in this update package:

Risk level Description Reference Vulnerability
High     An attempt to exploit a vulnerability in OpenEMR Development Team OpenEMR detected     CVE-2023-2947     Openemr-Admin-Edit_Globals-Application-Title-Stored-XSS
High     An attempt to exploit a vulnerability in Contec CONPROSYS HMI System (CHS) detected     CVE-2023-29154     Contec-Conprosys-HMI-System-CVE-2023-29154-SQL-Injection
High     An attempt to exploit a vulnerability in Openemr Development Team Openemr detected     CVE-2023-2947     Openemr-Admin-Edit_Globals-Application-Title-Stored-XSS
High     An attempt to exploit a vulnerability in JetBrains TeamCity detected     CVE-2023-34229     JetBrains-TeamCity-Gitlab-Connection-Stored-Cross-Site-Scripting
High     An attempt to exploit a vulnerability in SolarWinds Platform detected     CVE-2022-47503     Solarwinds-Network-Performance-Monitor-CVE-2022-47503-Insecure-Deserialization
High     An attempt to exploit a vulnerability in WordPress Limit Login Attempts Plugin detected     CVE-2023-1861     Wordpress-Limit-Login-Attempts-Plugin-Stored-Cross-Site-Scripting
High     An attempt to exploit a vulnerability in Microsoft Outlook detected     CVE-2023-23397     Microsoft-Outlook-Elevation-Of-Privilege-Vulnerability-CVE-2023-23397
High     A suspicious TAR archive detected     CVE-2023-2868     Barracuda-ESG-Archive-Name-Validation-Vulnerability-CVE-2023-2868
High     A suspicious TAR archive detected     CVE-2023-2868     Barracuda-ESG-Archive-Name-Validation-Vulnerability-CVE-2023-2868
High     A suspicious TAR archive detected     CVE-2023-2868     Barracuda-ESG-Archive-Name-Validation-Vulnerability-CVE-2023-2868
High     A suspicious TAR archive detected     CVE-2023-2868     Barracuda-ESG-Archive-Name-Validation-Vulnerability-CVE-2023-2868

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Openemr-Admin-Edit_Globals-Application-Title-Stored-XSS CVE-2023-2947 HTTP_CRL-Openemr-Admin-Edit_Globals-Application-Title-Stored-Cross-Site-Scripting-2 Suspected Compromise

TCP Client Stream Unknown

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Solarwinds-Network-Performance-Monitor-CVE-2022-47503-Insecure-Deserialization CVE-2022-47503 Generic_CS-Solarwinds-Network-Performance-Monitor-CVE-2022-47503-Insecure-Deserialization Suspected Compromise

HTTP Request Header Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Wordpress-Limit-Login-Attempts-Plugin-Stored-Cross-Site-Scripting CVE-2023-1861 HTTP_CSH-Wordpress-Limit-Login-Attempts-Plugin-Stored-Cross-Site-Scripting Suspected Compromise

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Openemr-Admin-Edit_Globals-Application-Title-Stored-XSS CVE-2023-2947 HTTP_CRL-Openemr-Admin-Edit_Globals-Application-Title-Stored-Cross-Site-Scripting Suspected Compromise
High JetBrains-TeamCity-Gitlab-Connection-Stored-Cross-Site-Scripting CVE-2023-34229 HTTP_CRL-JetBrains-TeamCity-Gitlab-Connection-Stored-Cross-Site-Scripting Suspected Compromise

Text File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Contec-Conprosys-HMI-System-CVE-2023-29154-SQL-Injection CVE-2023-29154 File-Text_Contec-Conprosys-HMI-System-CVE-2023-29154-SQL-Injection Suspected Compromise

Other Binary File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Microsoft-Outlook-Elevation-Of-Privilege-Vulnerability-CVE-2023-23397 CVE-2023-23397 File-Binary_Microsoft-Outlook-Elevation-Of-Privilege-Vulnerability-CVE-2023-23397-2 Potential Compromise
High Barracuda-ESG-Archive-Name-Validation-Vulnerability-CVE-2023-2868 CVE-2023-2868 File-Binary_Suspicious-Long-Name-In-Gnu-Tar-Archive Suspected Compromise
High Barracuda-ESG-Archive-Name-Validation-Vulnerability-CVE-2023-2868 CVE-2023-2868 File-Binary_Path-Traversal-Via-Tar-Archive Suspected Compromise
High Barracuda-ESG-Archive-Name-Validation-Vulnerability-CVE-2023-2868 CVE-2023-2868 File-Binary_Suspicious-Link-Name-In-Tar-Archive Suspected Compromise
High Barracuda-ESG-Archive-Name-Validation-Vulnerability-CVE-2023-2868 CVE-2023-2868 File-Binary_Suspicious-File-Name-In-Tar-Archive Suspected Compromise

Updated detected attacks:

HTTP Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Pimcore-Searchcontroller.PHP-SQL-Injection CVE-2023-1578 HTTP_CS-Pimcore-Searchcontroller.PHP-SQL-Injection Suspected Compromise
Fingerprint regexp changed

TCP Client Stream Unknown

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Solarwinds-Network-Performance-Monitor-Sqlfilescript-Insecure-Deserialization CVE-2022-47504 Generic_CS-Solarwinds-Network-Performance-Monitor-Sqlfilescript-Insecure-Deserialization Suspected Compromise
Fingerprint regexp changed

HTTP Request Header Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Progress-MOVEit-Transfer-Silcerttouser-SQL-Injection CVE-2023-35036 HTTP_CSH-Progress-MOVEit-Transfer-Silcerttouser-SQL-Injection Suspected Compromise
Description has changed

Other Binary File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Remote-Code-Execution-Via-Cpio-In-Zimbra-Collaboration-Suite-CVE-2022-41352 CVE-2022-41352 File-Binary_Remote-Code-Execution-Via-Cpio-In-Zimbra-Collaboration-Suite-CVE-2022-41352 Suspected Compromise
Fingerprint regexp changed
High Microsoft-Outlook-Elevation-Of-Privilege-Vulnerability-CVE-2023-23397 CVE-2023-23397 File-Binary_Microsoft-Outlook-Elevation-Of-Privilege-Vulnerability-CVE-2023-23397 Suspected Compromise
Detection mechanism updated

LIST OF OTHER CHANGES:

New objects:

Type Name
Category Barracuda Email Security Gateway

Updated objects:

Type Name Changes
IPList Iraq
IPList Iran
IPList Uganda
IPList Seychelles
IPList United Arab Emirates
IPList Israel
IPList Turkey
IPList Greece
IPList Estonia
IPList Latvia
IPList Lithuania
IPList Moldova
IPList Finland
IPList Ukraine
IPList North Macedonia
IPList Hungary
IPList Bulgaria
IPList Poland
IPList Romania
IPList Kosovo
IPList Réunion
IPList South Africa
IPList Bangladesh
IPList India
IPList Maldives
IPList Myanmar
IPList Uzbekistan
IPList Vietnam
IPList Thailand
IPList Indonesia
IPList Taiwan
IPList Philippines
IPList Malaysia
IPList China
IPList Hong Kong
IPList Brunei
IPList South Korea
IPList Japan
IPList Singapore
IPList Russia
IPList Australia
IPList New Zealand
IPList Congo Republic
IPList Portugal
IPList Spain
IPList Morocco
IPList Denmark
IPList Iceland
IPList United Kingdom
IPList Switzerland
IPList Sweden
IPList Netherlands
IPList Austria
IPList Belgium
IPList Germany
IPList Luxembourg
IPList Ireland
IPList France
IPList Liechtenstein
IPList Slovakia
IPList Czechia
IPList Norway
IPList Vatican City
IPList Italy
IPList Croatia
IPList Bosnia and Herzegovina
IPList Greenland
IPList Brazil
IPList Dominican Republic
IPList St Vincent and Grenadines
IPList Venezuela
IPList Ecuador
IPList Colombia
IPList Argentina
IPList Peru
IPList Mexico
IPList Puerto Rico
IPList Canada
IPList United States
IPList Palestine
IPList Serbia
IPList Antarctica
IPList TOR exit nodes IP Address List
IPList Amazon AMAZON
IPList Amazon EC2
IPList Akamai Servers
IPList TOR relay nodes IP Address List
IPList Zscaler IP Address List
IPList Amazon WORKSPACES_GATEWAYS
IPList Botnet IP Address List
IPList Malicious Site IP Address List
IPList Amazon AMAZON ap-southeast-1
IPList NordVPN Servers IP Address List
IPList Amazon AMAZON ca-central-1
IPList Amazon EC2 ca-central-1
IPList Amazon AMAZON cn-north-1
IPList Amazon AMAZON cn-northwest-1
IPList Amazon WORKSPACES_GATEWAYS cn-northwest-1
IPList Amazon AMAZON eu-west-1
IPList Amazon AMAZON us-east-1
IPList Amazon EC2 us-east-1
IPList Amazon AMAZON us-east-2
IPList Google Cloud IP Address List for europe-west9
IPList Google Cloud IP Address List for northamerica-northeast1
Situation HTTP_CSU-Shared-Variables
Situation HTTP_CSH-Shared-Variables
Fingerprint regexp changed
Situation File-Binary_Cisco-Prime-Infrastructure-And-Epnm-Uploadservlet-Tar-Directory-Traversal
Description has changed
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application Cisco Systems Evolved Programmable Network Manager removed
Category tag group CVE2019 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Suspected Compromise removed
Category tag group Severity over 4 Correlation Dependency Group removed
Situation File-Binary_Pear-Archive-Tar-Phar-Protocol-Handling-Deserialization-Code-Execution
Description has changed
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application Drupal removed
Category tag application PEAR Archive_Tar removed
Category tag group CVE2020 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Suspected Compromise removed
Category tag group Severity over 4 Correlation Dependency Group removed
Situation File-Binary_Pear-Archive-Tar-File-Protocol-Handling-Arbitrary-File-Overwrite
Description has changed
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application Drupal removed
Category tag application PEAR Archive_Tar removed
Category tag group CVE2020 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Suspected Compromise removed
Category tag group Severity over 4 Correlation Dependency Group removed
Situation File-Binary_Pear-Archive-Tar-Symbolic-Link-Handling-Arbitrary-File-Overwrite
Description has changed
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application Drupal removed
Category tag application PEAR Archive_Tar removed
Category tag group CVE2020 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Suspected Compromise removed
Category tag group Severity over 4 Correlation Dependency Group removed
Situation File-Binary_VMware-Vcenter-Server-Remote-Code-Execution-CVE-2021-21972
Description has changed
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application VMware Cloud Foundation removed
Category tag application VMware vCenter Server removed
Category tag group CVE2021 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Suspected Compromise removed
Category tag group Severity over 4 Correlation Dependency Group removed
Situation File-Binary_Pear-Archive-Tar-CVE-2021-32610-Symbolic-Link-Handling-Arbitrary-File-Write
Description has changed
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application PEAR Archive_Tar removed
Category tag group CVE2021 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Suspected Compromise removed
Category tag group Severity over 4 Correlation Dependency Group removed
Situation File-Binary_OpenSSL-C_rehash-Script-CVE-2022-2068-Command-Injection-Vulnerability
Description has changed
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application OpenSSL removed
Category tag group CVE2022 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Suspected Compromise removed
Category tag group Severity over 4 Correlation Dependency Group removed
Situation File-Binary_VMware-Vrealize-Log-Insight-Directory-Traversal-Vulnerability-CVE-2022-31706
Description has changed
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application VMware vRealize Log Insight removed
Category tag group CVE2022 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Suspected Compromise removed
Category tag group Severity over 4 Correlation Dependency Group removed
Situation File-Binary_Winace-Rar-And-Tar-Directory-Traversal-Vulnerability
Description has changed
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application WinAce removed
Category tag group CVE2006 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Potential Compromise removed
Category tag group Severity over 4 Correlation Dependency Group removed

DISCLAIMER AND COPYRIGHT

Copyright © 2023 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.