Release notes for update package 1779-5242

This update package improves the detection capabilities of the Forcepoint LLM system.

RELEASE DATE:     Thursday September 19, 2024
MD5 CHECKSUM:     87ed1ca4febd67b8e4882902abd216a1
SHA1 CHECKSUM:     7ffa5dc7e6b4dc15530966901930f9a8214255ac
SHA256 CHECKSUM:     c31e99602c59b64122fb316c5573db61b78fb45030dc90b6d51d62dc19d0b78e


UPDATE CRITICALITY:    HIGH

List of detected attacks in this update package:

Risk level Description Reference Vulnerability
High     An attempt to exploit a vulnerability in RoundCube RoundCube Webmail detected     CVE-2024-42009     Roundcube-Webmail-Html4inline-Stored-Cross-Site-Scripting
High     An attempt to exploit a vulnerability in RoundCube RoundCube Webmail detected     CVE-2024-42009     Roundcube-Webmail-Html4inline-Stored-Cross-Site-Scripting
High     An attempt to exploit a vulnerability in Microsoft Windows Server detected     CVE-2024-38077     Microsoft-Windows-Rdl-Service-Base24-Decoding-Remote-Code-Execution
High     An attempt to exploit a vulnerability in the BigUp plugin of SPIP detected     CVE-2024-8517     SPIP-BigUp-Plugin-Unauthenticated-RCE
High     Detected a local batch file execute attempt using ShellExecute     No CVE/CAN Local-System-Access-Via-ActiveX-Controls

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High SPIP-BigUp-Plugin-Unauthenticated-RCE CVE-2024-8517 HTTP_CS-SPIP-BigUp-Plugin-Unauthenticated-RCE Suspected Compromise

SMTP Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Roundcube-Webmail-Html4inline-Stored-Cross-Site-Scripting CVE-2024-42009 SMTP_CCS-Roundcube-Webmail-Html4inline-Stored-Cross-Site-Scripting Suspected Compromise

MSRPC Client Payload Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Microsoft-Windows-Rdl-Service-Base24-Decoding-Remote-Code-Execution CVE-2024-38077 MSRPC-TCP_CPS-Microsoft-Windows-Rdl-Service-Base24-Decoding-Remote-Code-Execution Suspected Compromise

Text File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Local-System-Access-Via-ActiveX-Controls No CVE/CAN File-Text_ShellExecute-ActiveX-Object-Batch-Script-Local-Execute Suspected Compromise
High Roundcube-Webmail-Html4inline-Stored-Cross-Site-Scripting CVE-2024-42009 File-Text_Roundcube-Webmail-Html4inline-Stored-Cross-Site-Scripting Suspected Compromise

Updated detected attacks:

TCP Client Stream Unknown

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Ysoserial-Generated-DotNet-Serialized-Object No CVE/CAN Generic_CS-Ysoserial-Generated-DotNet-Serialized-Object Suspected Compromise
Category tag situation Suspected Compromise added
Category tag situation Potential Compromise removed

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Progress-WhatsUp-Gold-SQL-Injection-CVE-2024-6670 CVE-2024-6670 HTTP_CRL-Progress-WhatsUp-Gold-SQL-Injection-CVE-2024-6670 Suspected Compromise
Fingerprint regexp changed

Text File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Ysoserial-Generated-DotNet-Serialized-Object No CVE/CAN File-Text_Ysoserial-Generated-DotNet-Serialized-Object Suspected Compromise
Category tag situation Suspected Compromise added
Category tag situation Potential Compromise removed

Other Binary File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Ysoserial-Generated-DotNet-Serialized-Object No CVE/CAN File-Binary_Ysoserial-Generated-DotNet-Serialized-Object Suspected Compromise
Category tag situation Suspected Compromise added
Category tag situation Potential Compromise removed

Identified Text File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Ysoserial-Generated-DotNet-Serialized-Object No CVE/CAN File-TextId_Ysoserial-Generated-DotNet-Serialized-Object Suspected Compromise
Category tag situation Suspected Compromise added
Category tag situation Potential Compromise removed

LIST OF OTHER CHANGES:

Updated objects:

Type Name Changes
Certificate Authority InCommon RSA Server CA (1)
Marked for removal
Situation URL_List-DNS-Over-HTTPS
Detection mechanism updated
IPList Rwanda
IPList Iraq
IPList Saudi Arabia
IPList Iran
IPList Cyprus
IPList Tanzania
IPList Armenia
IPList Kenya
IPList DR Congo
IPList Djibouti
IPList Uganda
IPList Central African Republic
IPList Seychelles
IPList Jordan
IPList Kuwait
IPList Oman
IPList Qatar
IPList Bahrain
IPList United Arab Emirates
IPList Israel
IPList Türkiye
IPList Ethiopia
IPList Eritrea
IPList Egypt
IPList Greece
IPList Burundi
IPList Estonia
IPList Latvia
IPList Azerbaijan
IPList Lithuania
IPList Georgia
IPList Moldova
IPList Belarus
IPList Finland
IPList Åland Islands
IPList Ukraine
IPList North Macedonia
IPList Hungary
IPList Bulgaria
IPList Albania
IPList Poland
IPList Romania
IPList Kosovo
IPList Zimbabwe
IPList Zambia
IPList Comoros
IPList Malawi
IPList Lesotho
IPList Botswana
IPList Mauritius
IPList Eswatini
IPList Réunion
IPList South Africa
IPList Mayotte
IPList Mozambique
IPList Madagascar
IPList Afghanistan
IPList Pakistan
IPList Bangladesh
IPList Turkmenistan
IPList Tajikistan
IPList Sri Lanka
IPList Bhutan
IPList India
IPList Maldives
IPList Nepal
IPList Myanmar
IPList Uzbekistan
IPList Kazakhstan
IPList Kyrgyzstan
IPList Palau
IPList Vietnam
IPList Thailand
IPList Indonesia
IPList Laos
IPList Taiwan
IPList Philippines
IPList Malaysia
IPList China
IPList Hong Kong
IPList Brunei
IPList Macao
IPList Cambodia
IPList South Korea
IPList Japan
IPList Singapore
IPList Cook Islands
IPList Timor-Leste
IPList Russia
IPList Mongolia
IPList Australia
IPList Federated States of Micronesia
IPList Papua New Guinea
IPList Solomon Islands
IPList Vanuatu
IPList New Caledonia
IPList Norfolk Island
IPList New Zealand
IPList Fiji
IPList Cameroon
IPList Senegal
IPList Congo Republic
IPList Portugal
IPList Liberia
IPList Ivory Coast
IPList Ghana
IPList Equatorial Guinea
IPList Nigeria
IPList Burkina Faso
IPList Togo
IPList Guinea-Bissau
IPList Mauritania
IPList Benin
IPList Gabon
IPList Sierra Leone
IPList São Tomé and Príncipe
IPList Gibraltar
IPList Gambia
IPList Guinea
IPList Chad
IPList Niger
IPList Mali
IPList Western Sahara
IPList Tunisia
IPList Spain
IPList Morocco
IPList Malta
IPList Algeria
IPList Faroe Islands
IPList Denmark
IPList Iceland
IPList United Kingdom
IPList Switzerland
IPList Sweden
IPList The Netherlands
IPList Austria
IPList Belgium
IPList Germany
IPList Luxembourg
IPList Ireland
IPList Monaco
IPList France
IPList Andorra
IPList Liechtenstein
IPList Jersey
IPList Isle of Man
IPList Guernsey
IPList Slovakia
IPList Czechia
IPList Norway
IPList Vatican City
IPList San Marino
IPList Italy
IPList Slovenia
IPList Montenegro
IPList Croatia
IPList Bosnia and Herzegovina
IPList Angola
IPList Namibia
IPList Barbados
IPList Cabo Verde
IPList Guyana
IPList French Guiana
IPList Suriname
IPList Paraguay
IPList Uruguay
IPList Brazil
IPList Falkland Islands
IPList Jamaica
IPList Dominican Republic
IPList Martinique
IPList Bahamas
IPList Bermuda
IPList Anguilla
IPList Trinidad and Tobago
IPList St Kitts and Nevis
IPList Dominica
IPList Antigua and Barbuda
IPList Saint Lucia
IPList Turks and Caicos Islands
IPList Aruba
IPList British Virgin Islands
IPList St Vincent and Grenadines
IPList Saint Martin
IPList Guadeloupe
IPList Grenada
IPList Cayman Islands
IPList Belize
IPList El Salvador
IPList Guatemala
IPList Honduras
IPList Nicaragua
IPList Costa Rica
IPList Venezuela
IPList Ecuador
IPList Colombia
IPList Panama
IPList Haiti
IPList Argentina
IPList Chile
IPList Bolivia
IPList Peru
IPList Mexico
IPList French Polynesia
IPList Kiribati
IPList Tonga
IPList Samoa
IPList Niue
IPList Northern Mariana Islands
IPList Guam
IPList Puerto Rico
IPList U.S. Virgin Islands
IPList American Samoa
IPList Canada
IPList United States
IPList Serbia
IPList Antarctica
IPList Sint Maarten
IPList Curaçao
IPList Bonaire, Sint Eustatius, and Saba
IPList TOR exit nodes IP Address List
IPList Amazon AMAZON
IPList Amazon EC2
IPList Microsoft Azure datacenter for australiaeast
IPList Microsoft Azure datacenter for brazilsouth
IPList Microsoft Azure datacenter for canadacentral
IPList TOR relay nodes IP Address List
IPList Microsoft Azure datacenter for centralus
IPList Microsoft Azure datacenter for eastus2euap
IPList Microsoft Azure datacenter for eastus2
IPList Microsoft Azure datacenter for eastus
IPList Microsoft Azure datacenter for southfrance
IPList Microsoft Azure datacenter for japaneast
IPList Microsoft Azure datacenter for koreacentral
IPList Microsoft Azure datacenter for southcentralus
IPList Microsoft Azure datacenter for uksouth
IPList Microsoft Azure datacenter for westeurope
IPList Amazon GLOBALACCELERATOR
IPList Microsoft Azure datacenter for westus2
IPList Microsoft Azure datacenter for westus
IPList Microsoft Azure service for AzureActiveDirectory
IPList Microsoft Azure datacenter
IPList Amazon EC2_INSTANCE_CONNECT
IPList Botnet IP Address List
IPList Malicious Site IP Address List
IPList Amazon AMAZON ap-southeast-6
IPList Amazon EC2 ap-southeast-6
IPList NordVPN Servers IP Address List
IPList Amazon EC2_INSTANCE_CONNECT cn-north-1
IPList Amazon EC2_INSTANCE_CONNECT cn-northwest-1
IPList Microsoft Azure service for MicrosoftPurviewPolicyDistribution
IPList Amazon AMAZON eu-west-1
IPList Amazon GLOBALACCELERATOR eu-west-1
IPList Amazon AMAZON us-east-1
IPList Amazon EC2 us-east-1
IPList Amazon AMAZON us-east-2
IPList Amazon EC2 us-east-2
IPList Amazon EC2_INSTANCE_CONNECT us-gov-east-1
IPList Amazon EC2_INSTANCE_CONNECT us-gov-west-1
IPList Microsoft Azure datacenter for germanyn
IPList Microsoft Azure datacenter for germanywc
IPList Microsoft Azure datacenter for norwaye
IPList Microsoft Azure datacenter for norwayw
IPList Microsoft Azure datacenter for southafricanorth
IPList Microsoft Azure datacenter for switzerlandn
IPList Microsoft Azure datacenter for switzerlandw
IPList Microsoft Azure datacenter for uaenorth
IPList Microsoft Azure service for AppService
IPList Microsoft Azure service for AzureActiveDirectory_ServiceEndpoint
IPList Microsoft Azure service for AzureCloud
IPList Microsoft Azure service for AzureContainerRegistry
IPList Microsoft Azure service for AzureCosmosDB
IPList Microsoft Azure service for AzureFrontDoor_FirstParty
IPList Microsoft Azure service for AzureMonitor
IPList Microsoft Azure service for AzureSignalR
IPList Microsoft Azure service for DataFactory
IPList Microsoft Azure service for DataFactoryManagement
IPList Microsoft Azure service for PowerBI
IPList Microsoft Azure datacenter for swedencentral
IPList Microsoft Azure datacenter for swedensouth
IPList Microsoft Azure datacenter for westus3
IPList Microsoft Azure service for SCCservice
IPList Microsoft Azure datacenter for italynorth
IPList Microsoft Azure datacenter for polandcentral
IPList Microsoft Azure datacenter for taiwannorthwest
IPList Microsoft Azure service for M365ManagementActivityApi
IPList Microsoft Azure service for AzureStack
IPList Microsoft Azure service for M365ManagementActivityApiWebhook
IPList Microsoft Azure service for AzureSentinel
Application TOR
Application DNS-Over-HTTPS
Application NordVPN

DISCLAIMER AND COPYRIGHT

Copyright © 2024 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.