Release notes for update package 1716-5242

This update package improves the detection capabilities of the Forcepoint LLM system.

RELEASE DATE:     Wednesday April 17, 2024
MD5 CHECKSUM:     120cf0a2393d8e907fac8e8066ec6bee
SHA1 CHECKSUM:     85dae41b952764388fdbbb1eae61a732f3a7259e
SHA256 CHECKSUM:     f237835940671eab310ae6934d250fc475d89db152ac8eabb5bb96a66a938fc4

UPDATE CRITICALITY:    HIGH

List of detected attacks in this update package:

Risk level Description Reference Vulnerability
High     An attempt to exploit a vulnerability in libspf2 detected     CVE-2023-42118     Libspf2-Macro-Expansion-Integer-Underflow
High     An attempt to exploit a vulnerability in Grav Grav CMS detected     CVE-2024-27921     Grav-CMS-Page-Media-Upload-Directory-Traversal
High     An attempt to exploit a vulnerability in WordPress Project WP Statistics detected     CVE-2024-2194     Wordpress-Wp-Statistics-Plugin-Gettop-Stored-Cross-Site-Scripting
High     An attempt to exploit a vulnerability in Wireshark detected     CVE-2023-6175     Wireshark-Netscreen-Dissector-Heap-Based-Buffer-Overflow
High     A potentially malicious Python script detected     No CVE/CAN Python-Script-With-Base64-Obfuscation-Pattern
High     An attempt to exploit a vulnerability in WordPress Project WP Statistics detected     CVE-2024-2194     Wordpress-Wp-Statistics-Plugin-Gettop-Stored-Cross-Site-Scripting
High     An attempt to exploit a vulnerability in JetBrains TeamCity detected     CVE-2024-31138     JetBrains-TeamCity-Agent-Distribution-CVE-2024-31138-Stored-Cross-Site-Scripting
High     An attempt to exploit a vulnerability in Open Web Analytics detected     CVE-2022-24637     Open-Web-Analytics-Remote-Code-Execution
High     An attempt to exploit a vulnerability in GlobalProtect detected     CVE-2024-3400     PAN-OS-GlobalProtect-Command-Injection-CVE-2024-3400
High     An attempt to exploit a vulnerability in Wireshark detected     CVE-2023-6175     Wireshark-Netscreen-Dissector-Heap-Based-Buffer-Overflow

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Grav-CMS-Page-Media-Upload-Directory-Traversal CVE-2024-27921 HTTP_CS-Grav-CMS-Page-Media-Upload-Directory-Traversal Suspected Compromise

DNS UDP Server Message

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Libspf2-Macro-Expansion-Integer-Underflow CVE-2023-42118 DNS-UDP_Libspf2-Macro-Expansion-Integer-Underflow Potential Compromise

HTTP Request URI

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Wordpress-Wp-Statistics-Plugin-Gettop-Stored-Cross-Site-Scripting CVE-2024-2194 HTTP_CSU--Wordpress-Wp-Statistics-Plugin-Gettop-Stored-Cross-Site-Scripting Potential Compromise

HTTP Request Header Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High PAN-OS-GlobalProtect-Command-Injection-CVE-2024-3400 CVE-2024-3400 HTTP_CSH-Directory-Traversal-In-Session-Id-Cookie Suspected Compromise

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Wordpress-Wp-Statistics-Plugin-Gettop-Stored-Cross-Site-Scripting CVE-2024-2194 HTTP_CRL-Wordpress-Wp-Statistics-Plugin-Gettop-Stored-Cross-Site-Scripting Potential Compromise
High JetBrains-TeamCity-Agent-Distribution-CVE-2024-31138-Stored-Cross-Site-Scripting CVE-2024-31138 HTTP_CRL-JetBrains-TeamCity-Agent-Distribution-CVE-2024-31138-Stored-XSS Suspected Compromise
High Open-Web-Analytics-Remote-Code-Execution CVE-2022-24637 HTTP_CRL-Open-Web-Analytics-Remote-Code-Execution Suspected Compromise

Text File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Wireshark-Netscreen-Dissector-Heap-Based-Buffer-Overflow CVE-2023-6175 File-Text_Wireshark-Netscreen-Dissector-Heap-Based-Buffer-Overflow Suspected Compromise
High Python-Script-With-Base64-Obfuscation-Pattern No CVE/CAN File-Text_Python-Script-With-Base64-Obfuscation-Pattern Potential Compromise

Other Binary File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Wireshark-Netscreen-Dissector-Heap-Based-Buffer-Overflow CVE-2023-6175 File-Binary_Wireshark-Netscreen-Dissector-Heap-Based-Buffer-Overflow Suspected Compromise

Updated detected attacks:

UDP Packet Unknown

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High OpenVPN-P_Control-Denial-Of-Service CVE-2017-7478 Generic_UDP-OpenVPN-P_Control-Denial-Of-Service Suspected Compromise
Detection mechanism updated

HTTP Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Inductive-Automation-Ignition-Authenticatedpage-Authentication-Bypass CVE-2022-35869 HTTP_CS-Inductive-Automation-Ignition-Authenticatedpage-Authentication-Bypass Potential Compromise
Detection mechanism updated

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Lucee-Authenticated-Scheduled-Job-Code-Execution No CVE/CAN HTTP_CRL-Lucee-Authenticated-Scheduled-Job-Code-Execution Suspected Compromise
Name: HTTP_CS-Lucee-Authenticated-Scheduled-Job-Code-Execution->HTTP_CRL-Lucee-Authenticated-Scheduled-Job-Code-Execution
Category tag group TCP Correlation Dependency Group removed
Context has changed from HTTP Client Stream to HTTP Normalized Request-Line

LIST OF OTHER CHANGES:

New objects:

Type Name
Category Grav CMS
Category Open Web Analytics
Application AtData

Updated objects:

Type Name Changes
Situation URL_List-DNS-Over-HTTPS
Detection mechanism updated
IPList Saudi Arabia
IPList Iran
IPList Cyprus
IPList Tanzania
IPList Armenia
IPList Kenya
IPList Seychelles
IPList Jordan
IPList Lebanon
IPList Kuwait
IPList Qatar
IPList United Arab Emirates
IPList Israel
IPList Türkiye
IPList Greece
IPList Latvia
IPList Azerbaijan
IPList Lithuania
IPList Svalbard and Jan Mayen
IPList Moldova
IPList Belarus
IPList Finland
IPList Ukraine
IPList Hungary
IPList Bulgaria
IPList Poland
IPList Romania
IPList South Africa
IPList Pakistan
IPList Tajikistan
IPList India
IPList Uzbekistan
IPList Kazakhstan
IPList Kyrgyzstan
IPList Vietnam
IPList Thailand
IPList Indonesia
IPList Taiwan
IPList Philippines
IPList Malaysia
IPList China
IPList Hong Kong
IPList Macao
IPList Cambodia
IPList South Korea
IPList Japan
IPList North Korea
IPList Singapore
IPList Russia
IPList Australia
IPList New Zealand
IPList Cameroon
IPList Portugal
IPList Nigeria
IPList Spain
IPList Malta
IPList Denmark
IPList United Kingdom
IPList Switzerland
IPList Sweden
IPList The Netherlands
IPList Austria
IPList Belgium
IPList Germany
IPList Luxembourg
IPList Ireland
IPList France
IPList Liechtenstein
IPList Czechia
IPList Norway
IPList Italy
IPList Greenland
IPList Paraguay
IPList Uruguay
IPList Brazil
IPList Jamaica
IPList Dominican Republic
IPList Guatemala
IPList Costa Rica
IPList Venezuela
IPList Ecuador
IPList Colombia
IPList Panama
IPList Argentina
IPList Chile
IPList Peru
IPList Mexico
IPList Puerto Rico
IPList Canada
IPList United States
IPList Serbia
IPList TOR exit nodes IP Address List
IPList Amazon AMAZON
IPList Amazon EC2
IPList TOR relay nodes IP Address List
IPList Amazon AMAZON ap-northeast-1
IPList Amazon EC2 ap-northeast-1
IPList Amazon AMAZON ap-northeast-2
IPList Amazon EC2 ap-northeast-2
IPList Amazon AMAZON ap-northeast-3
IPList Amazon EC2 ap-northeast-3
IPList Botnet IP Address List
IPList Malicious Site IP Address List
IPList Amazon AMAZON ap-south-1
IPList Amazon EC2 ap-south-1
IPList Amazon AMAZON ap-southeast-1
IPList Amazon EC2 ap-southeast-1
IPList NordVPN Servers IP Address List
IPList Amazon AMAZON ap-southeast-2
IPList Amazon EC2 ap-southeast-2
IPList Amazon AMAZON ca-central-1
IPList Amazon EC2 ca-central-1
IPList Amazon AMAZON eu-central-1
IPList Amazon EC2 eu-central-1
IPList Amazon AMAZON eu-north-1
IPList Amazon EC2 eu-north-1
IPList Amazon AMAZON eu-west-1
IPList Amazon EC2 eu-west-1
IPList Amazon AMAZON eu-west-2
IPList Amazon EC2 eu-west-2
IPList Amazon AMAZON eu-west-3
IPList Amazon EC2 eu-west-3
IPList Amazon AMAZON sa-east-1
IPList Amazon EC2 sa-east-1
IPList Amazon AMAZON us-east-1
IPList Forcepoint Drop IP Address List
IPList Forcepoint Extended Drop IP Address List
IPList Amazon AMAZON us-west-1
IPList Amazon EC2 us-west-1
IPList Amazon AMAZON us-west-2
IPList Amazon EC2 us-west-2
Situation HTTP_CSH-Directory-Traversal-In-Cookie-Header
Fingerprint regexp changed
Application AnyDesk
Application detection context content changed
Application Port "tcp/6568 tls: free" added
Application TOR
Application DNS-Over-HTTPS
Application NordVPN

DISCLAIMER AND COPYRIGHT

Copyright © 2024 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.