Release notes for update package 1725-5242

This update package improves the detection capabilities of the Forcepoint LLM system.

RELEASE DATE:     Monday May 13, 2024
MD5 CHECKSUM:     074c876f4269be3ac522bdae5331f6c8
SHA1 CHECKSUM:     b0c45e243eeca3d2ab0dfee1e64a36e2a0d53b52
SHA256 CHECKSUM:     b024fdebf45e2f25a14ac8915f556bb46e566feafac364e38a4f770d83c65520


UPDATE CRITICALITY:    HIGH

List of detected attacks in this update package:

Risk level Description Reference Vulnerability
High     An attempt to exploit a vulnerability in ISC BIND detected     CVE-2023-50387     Multiple-Vendors-DNS-DNSSEC-Response-Handling-Denial-Of-Service
High     An attempt to exploit a vulnerability in WordPress WPvivid Backup Plugin detected     CVE-2024-3054     Wordpress-Wpvivid-Backup-Plugin-Phar-Insecure-Deserialization
High     An attempt to exploit a vulnerability in H2 Database detected     No CVE/CAN H2-Web-Interface-Create-Alias-RCE
High     An attempt to exploit a vulnerability in XWiki.org XWiki detected     CVE-2024-31984     Xwiki.org-Xwiki-Solr-Space-Facet-Code-Injection
High     An attempt to exploit a vulnerability in Delta Electronics DIAEnergie detected     CVE-2024-28891     Delta-Industrial-Automation-Diaenergie-SQL-Injection-CVE-2024-28891
High     An attempt to exploit a vulnerability in GlobalProtect detected     CVE-2024-3400     PAN-OS-GlobalProtect-Command-Injection-CVE-2024-3400
Low     An attempt to exploit a vulnerability in ISC BIND detected     CVE-2023-50387     Multiple-Vendors-DNS-DNSSEC-Response-Handling-Denial-Of-Service

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

DNS TCP Server Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
Low Multiple-Vendors-DNS-DNSSEC-Response-Handling-Denial-Of-Service CVE-2023-50387 DNS-TCP_Multiple-Vendors-DNS-DNSSEC-Response-Handling-Possible-Denial-Of-Service Potential Denial of Service
High Multiple-Vendors-DNS-DNSSEC-Response-Handling-Denial-Of-Service CVE-2023-50387 DNS-TCP_Multiple-Vendors-DNS-DNSSEC-Response-Handling-Denial-Of-Service Suspected Denial of Service

HTTP Request Header Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High PAN-OS-GlobalProtect-Command-Injection-CVE-2024-3400 CVE-2024-3400 HTTP_CSH-PAN-OS-GlobalProtect-Command-Injection-CVE-2024-3400 Suspected Compromise

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Wordpress-Wpvivid-Backup-Plugin-Phar-Insecure-Deserialization CVE-2024-3054 HTTP_CRL-Wordpress-Wpvivid-Backup-Plugin-Phar-Insecure-Deserialization Suspected Compromise
High H2-Web-Interface-Create-Alias-RCE No CVE/CAN HTTP_CRL-H2-Web-Interface-Create-Alias-RCE Suspected Compromise
High Xwiki.org-Xwiki-Solr-Space-Facet-Code-Injection CVE-2024-31984 HTTP_CRL-Xwiki.org-Xwiki-Solr-Space-Facet-Code-Injection Suspected Compromise
High Delta-Industrial-Automation-Diaenergie-SQL-Injection-CVE-2024-28891 CVE-2024-28891 HTTP_CRL-Delta-Industrial-Automation-Diaenergie-SQL-Injection-CVE-2024-28891 Suspected Compromise

Updated detected attacks:

HTTP Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High IBM-Spectrum-Protect-Plus-Uploadhttpscertificate-Command-Injection CVE-2020-4241 HTTP_CS-IBM-Spectrum-Protect-Plus-Uploadhttpscertificate-Command-Injection Suspected Compromise
Fingerprint regexp changed
High Agent-Tesla-Malware-Infection-Traffic No CVE/CAN HTTP_CS-Agent-Tesla-Malware-Infection-Traffic Suspected Botnet
Fingerprint regexp changed
High Zoho-Manageengine-Admanager-Plus-CVE-2021-37539-Unrestricted-File-Upload CVE-2021-37539 HTTP_CS-Zoho-Manageengine-Admanager-Plus-CVE-2021-37539-Unrestricted-File-Upload Suspected Compromise
Fingerprint regexp changed
High Apache-Httpd-Mod_Lua-req_parsebody-Integer-Underflow CVE-2021-44790 HTTP_CS-Apache-Httpd-Mod_Lua-req_parsebody-Integer-Underflow Suspected Compromise
Detection mechanism updated
High CodeIgniter-Common.php-Insecure-Deserialization CVE-2022-21647 HTTP_CS-CodeIgniter-Common.php-Insecure-Deserialization Suspected Compromise
Fingerprint regexp changed
High Grandstream-GXV31XX-Settimezone-Unauthenticated-Command-Execution CVE-2019-10655 HTTP_CS-Grandstream-GXV31XX-Settimezone-Unauthenticated-Command-Execution Suspected Compromise
Fingerprint regexp changed
High Apache-Kylin-Rest-API-Admin-Configuration-Information-Disclosure CVE-2020-13937 HTTP_CS-Apache-Kylin-Rest-API-Admin-Configuration-Information-Disclosure Suspected Compromise
Fingerprint regexp changed
High Wordpress-Email-Template-Designer-Plugin-Authentication-Bypass CVE-2022-0218 HTTP_CS-Wordpress-Email-Template-Designer-Plugin-Authentication-Bypass Suspected Compromise
Fingerprint regexp changed
High Apache-ShenYu-Plugin-API-Information-Disclosure CVE-2022-23944 HTTP_CS-Apache-ShenYu-Plugin-API-Information-Disclosure Suspected Compromise
Fingerprint regexp changed
High Delta-Industrial-Automation-Dialink-Events-Stored-Cross-Site-Scripting CVE-2021-38488 HTTP_CS-Delta-Industrial-Automation-Dialink-Events-Stored-Cross-Site-Scripting Suspected Compromise
Fingerprint regexp changed
High Patrowl-PatrowlManager-Unrestricted-File-Upload CVE-2021-43829 HTTP_CS-Patrowl-PatrowlManager-Unrestricted-File-Upload Suspected Compromise
Fingerprint regexp changed
High Acquia-Mautic-Tracking-Pixel-Stored-Cross-Site-Scripting CVE-2022-25772 HTTP_CS-Acquia-Mautic-Tracking-Pixel-Stored-Cross-Site-Scripting Suspected Compromise
Fingerprint regexp changed
High Advantech-Iview-CVE-2022-2138-Denial-Of-Service CVE-2022-2138 HTTP_CS-Advantech-Iview-CVE-2022-2138-Denial-Of-Service Suspected Compromise
Fingerprint regexp changed
High TYPO3-Lux-Extension-SQL-Injection CVE-2022-35628 HTTP_CS-TYPO3-Lux-Extension-SQL-Injection Suspected Compromise
Fingerprint regexp changed
High Fortinet-Fortinac-Arbitrary-File-Write-CVE-2022-39952 CVE-2022-39952 HTTP_CS-Fortinet-Fortinac-Arbitrary-File-Write-CVE-2022-39952 Suspected Compromise
Fingerprint regexp changed
High Inductive-Automation-Ignition-Authenticatedpage-Authentication-Bypass CVE-2022-35869 HTTP_CS-Inductive-Automation-Ignition-Authenticatedpage-Authentication-Bypass Potential Compromise
Detection mechanism updated
High Cisco-RV-Series-Authentication-Bypass-And-Command-Injection CVE-2022-20705 HTTP_CS-Cisco-RV-Series-Authentication-Bypass-And-Command-Injection Suspected Compromise
Fingerprint regexp changed
High Pimcore-Searchcontroller.PHP-SQL-Injection CVE-2023-1578 HTTP_CS-Pimcore-Searchcontroller.PHP-SQL-Injection Suspected Compromise
Fingerprint regexp changed
High Progress-MOVEit-Transfer-Folderlistrecursive-SQL-Injection CVE-2023-36932 HTTP_CS-Progress-MOVEit-Transfer-Folderlistrecursive-SQL-Injection Suspected Compromise
Fingerprint regexp changed
High VMware-Aria-Operations-For-Networks-Exportpdf-Code-Injection CVE-2023-20889 HTTP_CS-VMware-Aria-Operations-For-Networks-Exportpdf-Code-Injection Suspected Compromise
Fingerprint regexp changed
High Wordpress-Paid-Memberships-Pro-Plugin-Arbitrary-File-Upload CVE-2023-6187 HTTP_CS-Wordpress-Paid-Memberships-Pro-Plugin-Arbitrary-File-Upload Suspected Compromise
Fingerprint regexp changed
High Western-Digital-MyCloud-Unauthenticated-Command-Injection CVE-2016-10108 HTTP_CS-Western-Digital-MyCloud-Unauthenticated-Command-Injection Suspected Compromise
Fingerprint regexp changed

HTTP Request Header Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Zabbix-Server-Setup.php-Authentication-Bypass CVE-2022-23134 HTTP_CS-Zabbix-Server-Setup.php-Authentication-Bypass Suspected Compromise
Context has changed from HTTP Client Stream to HTTP Request Header Line

LIST OF OTHER CHANGES:

New objects:

Type Name
Application Integral Ad Science
Element Ref Application dependency from Adobe-Creative-Cloud to Adobe-Systems

Updated objects:

Type Name Changes
Situation URL_List-DNS-Over-HTTPS
Detection mechanism updated
IPList Rwanda
IPList Saudi Arabia
IPList Iran
IPList Cyprus
IPList Kenya
IPList Seychelles
IPList Oman
IPList Qatar
IPList Bahrain
IPList United Arab Emirates
IPList Israel
IPList Türkiye
IPList Egypt
IPList Greece
IPList Latvia
IPList Lithuania
IPList Georgia
IPList Moldova
IPList Finland
IPList Ukraine
IPList Hungary
IPList Bulgaria
IPList Poland
IPList Romania
IPList Zimbabwe
IPList Botswana
IPList South Africa
IPList Madagascar
IPList Pakistan
IPList Bangladesh
IPList Turkmenistan
IPList India
IPList Myanmar
IPList Kazakhstan
IPList Vietnam
IPList Thailand
IPList Indonesia
IPList Taiwan
IPList Philippines
IPList Malaysia
IPList China
IPList Hong Kong
IPList Macao
IPList Cambodia
IPList South Korea
IPList Japan
IPList Singapore
IPList Russia
IPList Australia
IPList Papua New Guinea
IPList Tuvalu
IPList New Zealand
IPList Senegal
IPList Portugal
IPList Ghana
IPList Nigeria
IPList Sierra Leone
IPList Tunisia
IPList Spain
IPList Morocco
IPList Algeria
IPList United Kingdom
IPList Switzerland
IPList Sweden
IPList The Netherlands
IPList Austria
IPList Belgium
IPList Germany
IPList Luxembourg
IPList Ireland
IPList France
IPList Andorra
IPList Liechtenstein
IPList Slovakia
IPList Czechia
IPList Norway
IPList San Marino
IPList Italy
IPList Slovenia
IPList Croatia
IPList Guyana
IPList Paraguay
IPList Brazil
IPList Jamaica
IPList Dominican Republic
IPList Anguilla
IPList El Salvador
IPList Guatemala
IPList Honduras
IPList Costa Rica
IPList Venezuela
IPList Ecuador
IPList Colombia
IPList Panama
IPList Chile
IPList Peru
IPList Mexico
IPList Canada
IPList United States
IPList Palestine
IPList Serbia
IPList TOR exit nodes IP Address List
IPList Amazon AMAZON
IPList Amazon S3
IPList Amazon EC2
IPList Amazon CLOUDFRONT
IPList TOR relay nodes IP Address List
IPList Amazon GLOBALACCELERATOR
IPList Salesforce APNIC
IPList Salesforce Australia
Marked for removal
IPList Salesforce Canada
Marked for removal
IPList Salesforce Community Cloud
IPList Salesforce email Australia
Marked for removal
IPList Salesforce email Canada
Marked for removal
IPList Salesforce
IPList Salesforce RIPE
IPList Amazon DYNAMODB
IPList Amazon S3 eu-south-2
IPList Amazon AMAZON eu-south-2
IPList Amazon EC2 eu-south-2
IPList Amazon AMAZON il-central-1
IPList Amazon S3 il-central-1
IPList Amazon GLOBALACCELERATOR ap-southeast-3
IPList Botnet IP Address List
IPList Malicious Site IP Address List
IPList Amazon CLOUDFRONT ap-southeast-1
IPList NordVPN Servers IP Address List
IPList Amazon DYNAMODB cn-north-1
IPList Amazon AMAZON sa-east-1
IPList Amazon EC2 sa-east-1
IPList Amazon AMAZON us-east-1
IPList Amazon EC2 us-east-1
IPList Forcepoint Drop IP Address List
IPList Salesforce India
Marked for removal
IPList Salesforce US-East
Marked for removal
IPList Salesforce US-West
Marked for removal
Situation IP_salesforce_canada
Category tag situation Obsolete added
Category tag situation Inspection removed
Parameter IP list ID changed
Situation IP_salesforce_australia
Category tag situation Obsolete added
Category tag situation Inspection removed
Parameter IP list ID changed
Situation IP_salesforce_email_australia
Category tag situation Obsolete added
Category tag situation Inspection removed
Parameter IP list ID changed
Situation IP_salesforce_email_canada
Category tag situation Obsolete added
Category tag situation Inspection removed
Parameter IP list ID changed
Situation HTTP_CSU-Shared-Variables
Situation HTTP_CS-Shared-Variables-For-Client-Stream-Context
Fingerprint regexp changed
Situation HTTP_CRL-Shared-Variables
Situation HTTP_PSU-Shared-Variables
Fingerprint regexp changed
Application Yahoo
Application Yahoo-Web-Mail
Application Yahoo!-Blog-Posting
Application Yahoo-Calendar
Application Deviantart
Application Weather.com
Application TOR
Application DNS-Over-HTTPS
Application NordVPN

DISCLAIMER AND COPYRIGHT

Copyright © 2024 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.