This update package improves the detection capabilities of the Forcepoint LLM system.
| RELEASE DATE: | Monday May 20, 2024 |
| MD5 CHECKSUM: | a1ca9b78b0f1a99712b495d7af466e98 |
| SHA1 CHECKSUM: | 8ee76109e14b87d1117d7f3cbb5231d93edc247d |
| SHA256 CHECKSUM: | 491c101c2bc15e3a83ad6b66d345c48efc1f5c5273e3912e90e99cf9d30c4fe3 |
UPDATE CRITICALITY: HIGH
List of detected attacks in this update package:
| Risk level | Description | Reference | Vulnerability |
|---|---|---|---|
| High | An attempt to exploit a vulnerability in Microsoft Sharepoint Server detected | CVE-2024-21318 | Microsoft-Sharepoint-Server-Business-Data-Connectivity-Unsafe-Reflection |
| High | An attempt to exploit a vulnerability in OpenMetadata detected | CVE-2024-28254 | Openmetadata-Spel-Injection-CVE-2024-28254 |
| High | An attempt to exploit a vulnerability in D-Link NAS detected | CVE-2024-3272 | D-Link-Hardcoded-Credentials-CVE-2024-3272 |
| High | An attempt to exploit a vulnerability in Zimbra Collaboration detected | CVE-2022-27926 | Zimbra-Collaboration-Cross-Site-Scripting-CVE-2022-27926 |
| High | An attempt to exploit a vulnerability in SolarWinds Access Rights Manager detected | CVE-2024-23478 | Solarwinds-Access-Rights-Manager-Insecure-Deserialization-CVE-2024-23478 |
| High | An attempt to exploit a vulnerability in Centreon Project Centreon Web detected | CVE-2024-23116 | Centreon-Web-Updatelcarelation-SQL-Injection |
| High | An attempt to exploit a vulnerability in Voltronic Power ViewPower Pro detected | CVE-2023-51595 | Voltronic-Power-Viewpower-Pro-Selectdevicelistby-SQL-Injection |
| High | An attempt to exploit a vulnerability in Apache NiFi detected | CVE-2023-34468 | Apache-NiFi-H2-Connection-String-Remote-Code-Execution |
| High | An attempt to exploit a vulnerability in WordPress Automatic Plugin detected | CVE-2024-27956 | Wordpress-Automatic-Plugin-SQL-Injection-CVE-2024-27956 |
| High | An attempt to exploit a vulnerability in WordPress LiteSpeed Cache plugin detected | CVE-2023-40000 | Wordpress-LiteSpeed-Cache-Plugin-Cross-Site-Scripting-CVE-2023-40000 |
| High | An attempt to exploit a vulnerability in WordPress LayerSlider plugin detected | CVE-2024-2879 | Wordpress-Layerslider-Plugin-SQL-Injection-CVE-2024-2879 |
| High | An attempt to exploit a vulnerability in GitLab GitLab Community Edition (CE) and Enterprise Edition (EE) detected | CVE-2024-1451 | Gitlab-Community-And-Enterprise-Edition-Profile-Page-Stored-XSS |
| High | An attempt to exploit a vulnerability in Vinchin Backup & Recovery detected | CVE-2023-45498 | Vinchin-Backup-And-Recovery-Command-Injection |
| High | An attempt to exploit a vulnerability in Voltronic Power ViewPower Pro detected | CVE-2023-51595 | Voltronic-Power-Viewpower-Pro-Selectdevicelistby-SQL-Injection |
| High | An attempt to exploit a vulnerability in Microsoft Exchange Server detected | No CVE/CAN | Microsoft-Exchange-PowerShell-Remoting-Xamlimageinfo-Insecure-Deserialization |
| High | An attempt to exploit a vulnerability in D-Link DIR-X4860 routers detected | No CVE/CAN | D-Link-Dir-X4860-HNAP-LocalIPAddress-Command-Injection |
| High | An attempt to exploit a vulnerability in Ivanti Avalanche detected | CVE-2024-24994 | Ivanti-Avalanche-Extractzipentry-Directory-Traversal |
| Low | An attempt to exploit a vulnerability in ISC BIND detected | CVE-2023-50868 | Multiple-Vendors-DNS-NSEC3-Response-Handling-Denial-Of-Service |
Jump to: Detected Attacks Other Changes
DETECTED ATTACKS
New detected attacks:
HTTP Client Stream
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type |
|---|---|---|---|---|
| High | Microsoft-Sharepoint-Server-Business-Data-Connectivity-Unsafe-Reflection | CVE-2024-21318 | HTTP_CS-Microsoft-Sharepoint-Server-Business-Data-Connectivity-Unsafe-Reflection | Potential Compromise |
DNS UDP Server Message
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type |
|---|---|---|---|---|
| Low | Multiple-Vendors-DNS-NSEC3-Response-Handling-Denial-Of-Service | CVE-2023-50868 | DNS-UDP_Multiple-Vendors-DNS-NSEC3-Response-Handling-Denial-Of-Service | Potential Denial of Service |
TCP Client Stream Unknown
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type |
|---|---|---|---|---|
| High | Voltronic-Power-Viewpower-Pro-Selectdevicelistby-SQL-Injection | CVE-2023-51595 | Generic_CS-Voltronic-Power-Viewpower-Pro-Selectdevicelistby-SQL-Injection | Potential Compromise |
HTTP Request URI
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type |
|---|---|---|---|---|
| High | Openmetadata-Spel-Injection-CVE-2024-28254 | CVE-2024-28254 | HTTP_CSU-Openmetadata-Spel-Injection-CVE-2024-28254 | Suspected Compromise |
| High | D-Link-Hardcoded-Credentials-CVE-2024-3272 | CVE-2024-3272 | HTTP_CSU-D-Link-Hardcoded-Credentials-CVE-2024-3272 | Suspected Compromise |
| High | Zimbra-Collaboration-Cross-Site-Scripting-CVE-2022-27926 | CVE-2022-27926 | HTTP_CSU-Zimbra-Collaboration-Cross-Site-Scripting-CVE-2022-27926 | Suspected Compromise |
HTTP Normalized Request-Line
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type |
|---|---|---|---|---|
| High | Centreon-Web-Updatelcarelation-SQL-Injection | CVE-2024-23116 | HTTP_CRL-Centreon-Web-Updatelcarelation-SQL-Injection | Suspected Compromise |
| High | Voltronic-Power-Viewpower-Pro-Selectdevicelistby-SQL-Injection | CVE-2023-51595 | HTTP_CRL-Voltronic-Power-Viewpower-Pro-Selectdevicelistby-SQL-Injection | Potential Compromise |
| High | Apache-NiFi-H2-Connection-String-Remote-Code-Execution | CVE-2023-34468 | HTTP_CRL-Apache-NiFi-H2-Connection-String-Remote-Code-Execution | Suspected Compromise |
| High | Wordpress-Automatic-Plugin-SQL-Injection-CVE-2024-27956 | CVE-2024-27956 | HTTP_CRL-Wordpress-Automatic-Plugin-SQL-Injection-CVE-2024-27956 | Suspected Compromise |
| High | Wordpress-LiteSpeed-Cache-Plugin-Cross-Site-Scripting-CVE-2023-40000 | CVE-2023-40000 | HTTP_CRL-Wordpress-LiteSpeed-Cache-Plugin-Cross-Site-Scripting-CVE-2023-40000 | Suspected Compromise |
| High | Wordpress-Layerslider-Plugin-SQL-Injection-CVE-2024-2879 | CVE-2024-2879 | HTTP_CRL-Wordpress-Layerslider-Plugin-SQL-Injection-CVE-2024-2879 | Suspected Compromise |
| High | Gitlab-Community-And-Enterprise-Edition-Profile-Page-Stored-XSS | CVE-2024-1451 | HTTP_CRL-Gitlab-Community-And-Enterprise-Edition-Profile-Page-Stored-XSS | Suspected Compromise |
| High | Vinchin-Backup-And-Recovery-Command-Injection | CVE-2023-45498 | HTTP_CRL-Vinchin-Backup-And-Recovery-Command-Injection | Suspected Compromise |
Text File Stream
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type |
|---|---|---|---|---|
| High | Solarwinds-Access-Rights-Manager-Insecure-Deserialization-CVE-2024-23478 | CVE-2024-23478 | File-Text_Solarwinds-Access-Rights-Manager-Insecure-Deserialization-CVE-2024-23478 | Suspected Compromise |
Identified Text File Stream
Zip File Stream
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type |
|---|---|---|---|---|
| High | Ivanti-Avalanche-Extractzipentry-Directory-Traversal | CVE-2024-24994 | File-Zip_Ivanti-Avalanche-Extractzipentry-Directory-Traversal | Suspected Compromise |
Updated detected attacks:
HTTP Client Stream
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type | Change Description | |
|---|---|---|---|---|---|---|
| High | Microsoft-Sharepoint-Server-Generateproxyassembly-Code-Injection-CVE-2023-24955 | CVE-2023-24955 | HTTP_CS-Microsoft-Sharepoint-Server-Generateproxyassembly-Code-Injection-CVE-2023-24955 | Suspected Compromise |
|
HTTP Request URI
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type | Change Description | |
|---|---|---|---|---|---|---|
| High | D-Link-Command-Injection-CVE-2024-3273 | CVE-2024-3273 | HTTP_CSU-D-Link-Command-Injection-CVE-2024-3273 | Suspected Compromise |
|
HTTP Normalized Request-Line
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type | Change Description | |
|---|---|---|---|---|---|---|
| High | Gitlab-Account-Hijacking-Vulnerability-CVE-2023-7028 | CVE-2023-7028 | HTTP_CRL-Gitlab-Account-Hijacking-Vulnerability-CVE-2023-7028 | Suspected Compromise |
|
|
| High | Centreon-Web-Updatedirectory-SQL-Injection | CVE-2024-0637 | HTTP_CRL-Centreon-Web-Updatedirectory-SQL-Injection | Suspected Compromise |
|
|
| High | Oracle-Business-Intelligence-Enterprise-Edition-CVE-2020-14864 | CVE-2020-14864 | HTTP_CRL_Oracle-Business-Intelligence-Enterprise-Edition-CVE-2020-14864 | Suspected Compromise |
|
Text File Stream
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type | Change Description | ||
|---|---|---|---|---|---|---|---|
| High | Sophos-UTM-WebAdmin-Sid-Command-Injection | CVE-2020-25223 | File-Text_Sophos-UTM-WebAdmin-Sid-Command-Injection | Suspected Compromise |
|
||
| High | Apache-ShenYu-Admin-JWT-Authentication-Bypass-Vulnerability | CVE-2021-37580 | File-Text_Apache-ShenYu-Admin-JWT-Authentication-Bypass-Vulnerability | Suspected Compromise |
|
||
| High | Parse-Server-Transformupdate-Prototype-Pollution-CVE-2022-39396 | CVE-2022-39396 | File-Text_Parse-Server-Transformupdate-Prototype-Pollution-CVE-2022-39396 | Suspected Compromise |
|
||
| High | GL.iNet-Unauthenticated-Remote-Command-Execution-Via-The-Logread-Module | CVE-2023-50445 | File-Text_GL.iNet-Unauthenticated-Remote-Command-Execution-Via-The-Logread-Module | Suspected Compromise |
|
||
| High | VMware-Fusion-Guest-VM-Remote-Code-Execution | CVE-2019-5514 | File-Text_VMware-Fusion-Guest-VM-Remote-Code-Execution | Suspected Compromise |
|
||
| High | Telerik-UI-Insecure-Deserialization-CVE-2019-18935 | CVE-2019-18935 | File-Text_Telerik-UI-Insecure-Deserialization-CVE-2019-18935 | Suspected Compromise |
|
||
| High | Trend-Micro-Safesync-For-Enterprise-Ad.pm-Id-Remote-Command-Execution | No CVE/CAN | File-Text_Trend-Micro-Safesync-For-Enterprise-Ad.pm-Id-Remote-Command-Execution | Suspected Compromise |
|
Zip File Stream
| Risk | Vulnerability/Situation | References | Related Fingerprint | Situation Type | Change Description | |
|---|---|---|---|---|---|---|
| High | Directory-Traversal-In-Archive-Filename | CVE-2018-7836 | File-Zip_Directory-Traversal-In-Archive-Filename | Potential Compromise |
|
LIST OF OTHER CHANGES:
New objects:
| Type | Name |
|---|---|
| Category | Vinchin Backup And Recovery |
| Category | SolarWinds Access Rights Manager |
| Network Element | Common IP Blocklists |
| Report | Top Bandwidth Network Applications by VPN Tunnel |
| Application | Blockthrough |
Updated objects:
| Type | Name | Changes | |
|---|---|---|---|
| Situation | URL_List-DNS-Over-HTTPS |
|
|
| IPList | Saudi Arabia | ||
| IPList | Iran | ||
| IPList | Tanzania | ||
| IPList | Syria | ||
| IPList | Armenia | ||
| IPList | Seychelles | ||
| IPList | Jordan | ||
| IPList | Qatar | ||
| IPList | United Arab Emirates | ||
| IPList | Israel | ||
| IPList | Türkiye | ||
| IPList | Eritrea | ||
| IPList | Greece | ||
| IPList | Estonia | ||
| IPList | Latvia | ||
| IPList | Azerbaijan | ||
| IPList | Lithuania | ||
| IPList | Georgia | ||
| IPList | Moldova | ||
| IPList | Finland | ||
| IPList | Ukraine | ||
| IPList | North Macedonia | ||
| IPList | Hungary | ||
| IPList | Bulgaria | ||
| IPList | Poland | ||
| IPList | Romania | ||
| IPList | Réunion | ||
| IPList | South Africa | ||
| IPList | Pakistan | ||
| IPList | Tajikistan | ||
| IPList | India | ||
| IPList | Kazakhstan | ||
| IPList | Kyrgyzstan | ||
| IPList | Vietnam | ||
| IPList | Thailand | ||
| IPList | Indonesia | ||
| IPList | Laos | ||
| IPList | Taiwan | ||
| IPList | Philippines | ||
| IPList | Malaysia | ||
| IPList | China | ||
| IPList | Hong Kong | ||
| IPList | Cambodia | ||
| IPList | South Korea | ||
| IPList | Japan | ||
| IPList | Singapore | ||
| IPList | Timor-Leste | ||
| IPList | Russia | ||
| IPList | Australia | ||
| IPList | Papua New Guinea | ||
| IPList | Vanuatu | ||
| IPList | New Zealand | ||
| IPList | Fiji | ||
| IPList | Congo Republic | ||
| IPList | Portugal | ||
| IPList | Ivory Coast | ||
| IPList | Nigeria | ||
| IPList | Spain | ||
| IPList | Algeria | ||
| IPList | Denmark | ||
| IPList | United Kingdom | ||
| IPList | Switzerland | ||
| IPList | Sweden | ||
| IPList | The Netherlands | ||
| IPList | Austria | ||
| IPList | Belgium | ||
| IPList | Germany | ||
| IPList | Luxembourg | ||
| IPList | Ireland | ||
| IPList | France | ||
| IPList | Liechtenstein | ||
| IPList | Czechia | ||
| IPList | Norway | ||
| IPList | Italy | ||
| IPList | Slovenia | ||
| IPList | Montenegro | ||
| IPList | Bosnia and Herzegovina | ||
| IPList | Namibia | ||
| IPList | French Guiana | ||
| IPList | Brazil | ||
| IPList | Trinidad and Tobago | ||
| IPList | Belize | ||
| IPList | Honduras | ||
| IPList | Nicaragua | ||
| IPList | Costa Rica | ||
| IPList | Venezuela | ||
| IPList | Colombia | ||
| IPList | Argentina | ||
| IPList | Chile | ||
| IPList | Peru | ||
| IPList | Mexico | ||
| IPList | U.S. Virgin Islands | ||
| IPList | Canada | ||
| IPList | United States | ||
| IPList | Serbia | ||
| IPList | TOR exit nodes IP Address List | ||
| IPList | Amazon AMAZON | ||
| IPList | Amazon EC2 | ||
| IPList | TOR relay nodes IP Address List | ||
| IPList | The Deception Project IP Address List |
|
|
| IPList | Hidden Cobra APT C2 IP Address List |
|
|
| IPList | Amazon AMAZON af-south-1 | ||
| IPList | Zscaler IP Address List | ||
| IPList | Amazon EC2 af-south-1 | ||
| IPList | Amazon AMAZON ap-east-1 | ||
| IPList | Amazon EC2 ap-east-1 | ||
| IPList | Amazon AMAZON ap-south-2 | ||
| IPList | Amazon EC2 ap-south-2 | ||
| IPList | SunBurst Backdoor IP Address List |
|
|
| IPList | Amazon AMAZON ap-northeast-1 | ||
| IPList | Amazon EC2 me-central-1 | ||
| IPList | Amazon AMAZON me-central-1 | ||
| IPList | Amazon EC2 ap-northeast-1 | ||
| IPList | Amazon AMAZON eu-south-2 | ||
| IPList | Amazon EC2 eu-south-2 | ||
| IPList | Amazon AMAZON eu-central-2 | ||
| IPList | Amazon EC2 eu-central-2 | ||
| IPList | Amazon AMAZON il-central-1 | ||
| IPList | Amazon AMAZON ap-northeast-2 | ||
| IPList | Amazon EC2 ap-northeast-2 | ||
| IPList | Amazon EC2 il-central-1 | ||
| IPList | Amazon AMAZON ap-northeast-3 | ||
| IPList | Amazon EC2 ap-northeast-3 | ||
| IPList | Botnet IP Address List | ||
| IPList | Malicious Site IP Address List | ||
| IPList | Amazon AMAZON ap-south-1 | ||
| IPList | Amazon EC2 ap-south-1 | ||
| IPList | Amazon AMAZON ap-southeast-1 | ||
| IPList | Amazon EC2 ap-southeast-1 | ||
| IPList | NordVPN Servers IP Address List | ||
| IPList | Amazon AMAZON ap-southeast-2 | ||
| IPList | Amazon EC2 ap-southeast-2 | ||
| IPList | Amazon AMAZON ca-central-1 | ||
| IPList | Amazon EC2 ca-central-1 | ||
| IPList | Amazon AMAZON eu-central-1 | ||
| IPList | Amazon EC2 eu-central-1 | ||
| IPList | Amazon AMAZON eu-north-1 | ||
| IPList | Amazon EC2 eu-north-1 | ||
| IPList | Amazon AMAZON eu-west-1 | ||
| IPList | Amazon EC2 eu-west-1 | ||
| IPList | Amazon AMAZON eu-west-2 | ||
| IPList | Amazon EC2 eu-west-2 | ||
| IPList | Amazon AMAZON eu-west-3 | ||
| IPList | Amazon EC2 eu-west-3 | ||
| IPList | Amazon AMAZON me-south-1 | ||
| IPList | Amazon EC2 me-south-1 | ||
| IPList | Amazon AMAZON sa-east-1 | ||
| IPList | Amazon EC2 sa-east-1 | ||
| IPList | Amazon AMAZON us-east-1 | ||
| IPList | Amazon EC2 us-east-1 | ||
| IPList | Amazon AMAZON us-east-2 | ||
| IPList | Amazon EC2 us-east-2 | ||
| IPList | Forcepoint Drop IP Address List | ||
| IPList | Amazon AMAZON us-west-1 | ||
| IPList | Amazon EC2 us-west-1 | ||
| IPList | Amazon AMAZON us-west-2 | ||
| IPList | Amazon EC2 us-west-2 | ||
| IPList | Amazon AMAZON eu-south-1 | ||
| IPList | Amazon EC2 eu-south-1 | ||
| IPList | Sinkhole IP List | ||
| IPList | Amazon AMAZON ap-southeast-3 | ||
| IPList | Amazon EC2 ap-southeast-3 | ||
| IPList | Amazon EC2 ap-southeast-4 | ||
| IPList | Amazon AMAZON ap-southeast-4 | ||
| IPList | Amazon AMAZON ca-west-1 | ||
| IPList | Amazon EC2 ca-west-1 | ||
| Situation | IP_The-Deception-Project-Sites |
|
|
| Situation | IP_Emotet-Botnet-C2-Sites |
|
|
| Situation | IP_SunBurst_Backdoor |
|
|
| Situation | Generic_SS-Ebury-SSH-Backdoor-Activity |
|
|
| Situation | HTTP_CSU-Shared-Variables | ||
| Situation | HTTP_SHS-Shared-Variables | ||
| Situation | SSH_Ebury-SSH-Backdoor-Activity |
|
|
| Situation | File-Text_Shared-Variables |
|
|
| Application | TOR | ||
| Application | DNS-Over-HTTPS | ||
| Application | NordVPN | ||
| Application | Blizzard-World-of-Warcraft |
|
DISCLAIMER AND COPYRIGHT
Copyright © 2024 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.
All other trademarks used in this document are the property of their respective owners.
Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.
All other trademarks used in this document are the property of their respective owners.
Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.