Release notes for update package 1676-5242

This update package improves the detection capabilities of the Forcepoint LLM system.

RELEASE DATE:	Wednesday January 17, 2024
MD5 CHECKSUM:	d27720be7529c6c64138c9bbf98993f3
SHA1 CHECKSUM:	c636c627ad7cc84648241bc722161395a8a695dd
SHA256 CHECKSUM:	8fc6326da6323dc45b82f0eb55b23384929ad079160517b2d622063337115bb5

UPDATE CRITICALITY: HIGH

List of detected attacks in this update package:

Risk level	Description	Reference	Vulnerability
High	An attempt to exploit a vulnerability in SonicWall detected	CVE-2023-0656	SonicWall-Stack-Buffer-Overflow-CVE-2023-0656
High	An attempt to exploit a vulnerability in SonicWall detected	CVE-2022-22274	SonicWall-Stack-Buffer-Overflow-CVE-2022-22274
High	An attempt to exploit a vulnerability in Ivanti Connect Secure detected	CVE-2023-46805	Ivanti-Connect-Secure-Authentication-Bypass-CVE-2023-46805
High	An attempt to exploit a vulnerability in Ivanti Connect Secure detected	CVE-2024-21887	Ivanti-Connect-Secure-Command-Injection-CVE-2024-21887
High	An attempt to exploit a vulnerability in Mirth Connect detected	CVE-2023-43208	Mirth-Connect-Remote-Code-Execution-CVE-2023-43208
High	An attempt to exploit a vulnerability in Ivanti Connect Secure detected	CVE-2024-21887	Ivanti-Connect-Secure-Command-Injection-CVE-2024-21887
High	An attempt to exploit a vulnerability in Ivanti Avalanche detected	CVE-2023-46262	Ivanti-Avalanche-Remote-Control-Server-Validateamcwsconnection
High	An attempt to exploit a vulnerability in Ivanti Avalanche detected	CVE-2023-46262	Ivanti-Avalanche-Remote-Control-Server-Validateamcwsconnection
High	An attempt to exploit a vulnerability in Ivanti Avalanche detected	CVE-2023-46262	Ivanti-Avalanche-Remote-Control-Server-Validateamcwsconnection
High	An attempt to exploit a vulnerability in Mirth Connect detected	CVE-2023-43208	Mirth-Connect-Remote-Code-Execution-CVE-2023-43208

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Client Stream

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	SonicWall-Stack-Buffer-Overflow-CVE-2023-0656	CVE-2023-0656	HTTP_CS-SonicWall-Stack-Buffer-Overflow-CVE-2023-0656	Suspected Compromise
High	SonicWall-Stack-Buffer-Overflow-CVE-2022-22274	CVE-2022-22274	HTTP_CS-SonicWall-Stack-Buffer-Overflow-CVE-2022-22274	Suspected Compromise

HTTP Request URI

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	Ivanti-Connect-Secure-Authentication-Bypass-CVE-2023-46805	CVE-2023-46805	HTTP_CSU-Ivanti-Connect-Secure-Authentication-Bypass-CVE-2023-46805	Suspected Compromise
High	Ivanti-Connect-Secure-Command-Injection-CVE-2024-21887	CVE-2024-21887	HTTP_CSU-Ivanti-Connect-Secure-Command-Injection-CVE-2024-21887	Suspected Compromise

HTTP Normalized Request-Line

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	Ivanti-Avalanche-Remote-Control-Server-Validateamcwsconnection	CVE-2023-46262	HTTP_CRL-Ivanti-Avalanche-Remote-Control-Server-Validateamcwsconnection-Server-Side-Request-Forgery	Suspected Compromise

Text File Stream

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	Mirth-Connect-Remote-Code-Execution-CVE-2023-43208	CVE-2023-43208	File-Text_Mirth-Connect-Remote-Code-Execution-CVE-2023-43208	Suspected Compromise
High	Ivanti-Connect-Secure-Command-Injection-CVE-2024-21887	CVE-2024-21887	File-Text_Ivanti-Connect-Secure-Command-Injection-CVE-2024-21887	Suspected Compromise

Identified Text File Stream

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	Mirth-Connect-Remote-Code-Execution-CVE-2023-43208	CVE-2023-43208	File-TextId_Mirth-Connect-Remote-Code-Execution-CVE-2023-43208	Suspected Compromise

ARCserve Backup Client Stream

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	Ivanti-Avalanche-Remote-Control-Server-Validateamcwsconnection	CVE-2023-46262	ARCserve_CS-Ivanti-Avalanche-Remote-Control-Server-Validateamcwsconnection-Server-Side-Request-Forgery	Suspected Compromise
High	Ivanti-Avalanche-Remote-Control-Server-Validateamcwsconnection	CVE-2023-46262	ARCserve_CS-Potential-Ivanti-Avalanche-Remote-Control-Server-Validateamcwsconnection-Server-Side-Request-Forgery	Potential Compromise

Updated detected attacks:

HTTP Client Stream

Risk

Vulnerability/Situation

References

Related Fingerprint

Situation Type

Change Description

High

Xstream-Library-Insecure-Deserialization

CVE-2021-39144

HTTP_CS_Xstream-Library-Insecure-Xml-Deserialization-CVE-2021-39144

Suspected Compromise

Description has changed

Text File Stream

Risk

Vulnerability/Situation

References

Related Fingerprint

Situation Type

Change Description

High

Xstream-Unsafe-Deserialization

No CVE/CAN

File-Text_Xstream-Unsafe-Deserialization

Potential Compromise

Detection mechanism updated

Identified Text File Stream

Risk

Vulnerability/Situation

References

Related Fingerprint

Situation Type

Change Description

High

Xstream-Unsafe-Deserialization

No CVE/CAN

File-TextId_Xstream-Unsafe-Deserialization

Potential Compromise

Detection mechanism updated

LIST OF OTHER CHANGES:

New objects:

Type	Name
Category	Ivanti Connect Secure
Category	Mirth Connect
Category	CVE2024
Application	Sentry.io
Situation	URLList 3211303

Updated objects:

Type

Name

Changes

Situation

URL_List-DNS-Over-HTTPS

Detection mechanism updated

IPList

Saudi Arabia

IPList

Iran

IPList

Cyprus

IPList

Kenya

IPList

Seychelles

IPList

Lebanon

IPList

Kuwait

IPList

United Arab Emirates

IPList

Israel

IPList

Türkiye

IPList

Ethiopia

IPList

Greece

IPList

Estonia

IPList

Latvia

IPList

Lithuania

IPList

Georgia

IPList

Moldova

IPList

Finland

IPList

Ukraine

IPList

Hungary

IPList

Bulgaria

IPList

Albania

IPList

Poland

IPList

Romania

IPList

Réunion

IPList

South Africa

IPList

Mozambique

IPList

Pakistan

IPList

Bangladesh

IPList

Tajikistan

IPList

Sri Lanka

IPList

Bhutan

IPList

India

IPList

Nepal

IPList

Kazakhstan

IPList

Vietnam

IPList

Thailand

IPList

Indonesia

IPList

Taiwan

IPList

Philippines

IPList

Malaysia

IPList

China

IPList

Hong Kong

IPList

Cambodia

IPList

South Korea

IPList

Japan

IPList

Singapore

IPList

Russia

IPList

Australia

IPList

New Zealand

IPList

Portugal

IPList

Liberia

IPList

Ivory Coast

IPList

Nigeria

IPList

Sierra Leone

IPList

Gibraltar

IPList

Spain

IPList

Malta

IPList

Denmark

IPList

Iceland

IPList

United Kingdom

IPList

Switzerland

IPList

Sweden

IPList

The Netherlands

IPList

Austria

IPList

Belgium

IPList

Germany

IPList

Luxembourg

IPList

Ireland

IPList

France

IPList

Liechtenstein

IPList

Jersey

IPList

Slovakia

IPList

Czechia

IPList

Norway

IPList

Italy

IPList

Slovenia

IPList

Montenegro

IPList

Croatia

IPList

Paraguay

IPList

Brazil

IPList

Jamaica

IPList

Dominican Republic

IPList

Bahamas

IPList

St Kitts and Nevis

IPList

Dominica

IPList

Antigua and Barbuda

IPList

Saint Lucia

IPList

British Virgin Islands

IPList

St Vincent and Grenadines

IPList

Cayman Islands

IPList

Belize

IPList

El Salvador

IPList

Costa Rica

IPList

Venezuela

IPList

Colombia

IPList

Argentina

IPList

Chile

IPList

Peru

IPList

Mexico

IPList

Canada

IPList

United States

IPList

Serbia

IPList

TOR exit nodes IP Address List

IPList

Amazon AMAZON

IPList

Amazon CLOUDFRONT

IPList

TOR relay nodes IP Address List

IPList

Netflix Servers

IPList

Microsoft Azure datacenter

IPList

Botnet IP Address List

IPList

Malicious Site IP Address List

IPList

Amazon CLOUDFRONT eu-central-1

IPList

Amazon AMAZON eu-west-2

IPList

Amazon AMAZON sa-east-1

IPList

Forcepoint Drop IP Address List

Situation

HTTP_CSU-Shared-Variables

Application

Google-Analytics

Application

Google

Application

Google-Orkut

Application

Amazon

Application

Netflix

Application

Hbo

Application

TOR

Application

DNS-Over-HTTPS

Application

Spotify

DISCLAIMER AND COPYRIGHT

Copyright © 2024 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.