Release notes for update package 1793-5242

This update package improves the detection capabilities of the Forcepoint LLM system.

RELEASE DATE:     Monday October 28, 2024
MD5 CHECKSUM:     54cd288bae04a6dd5f1c864fa7feadda
SHA1 CHECKSUM:     c831bf98c38955f4bdb80139d34e499504c9507f
SHA256 CHECKSUM:     30c0d2d160cdc8659d1c49462b896c5c58bded079703e8cc2c8ce1babf54a8d9


UPDATE CRITICALITY:    HIGH

List of detected attacks in this update package:

Risk level Description Reference Vulnerability
High     An attempt to exploit a vulnerability in Windows' Remote Registry client detected     CVE-2024-43532     Remote-Registry-Service-Elevation-Of-Privilege-CVE-2024-43532
High     An attempt to exploit a vulnerability in Ivanti Avalanche detected     CVE-2024-36136     Ivanti-Avalanche-Wlinforailservice-H.Payform-Out-Of-Bounds-Read
High     An attempt to exploit a vulnerability in Ivanti Endpoint Manager detected     CVE-2024-32845     Ivanti-Endpoint-Manager-Getsqlstatement-SQL-Injection
High     An attempt to exploit a vulnerability in Ivanti Cloud Services Appliance detected     CVE-2024-9380     Ivanti-Cloud-Services-Appliance-Command-Injection-CVE-2024-9380
High     An attempt to exploit a vulnerability in Ivanti Cloud Services Appliance detected     CVE-2024-8963     Ivanti-Cloud-Services-Appliance-Path-Traversal-CVE-2024-8963
High     An attempt to exploit a vulnerability in WordPress Project The Events Calendar Plugin     CVE-2024-6931     Wordpress-The-Events-Calendar-Plugin-Rsvp-Stored-Cross-Site-Scripting
High     An attempt to exploit a vulnerability in LightOpenCMS detected     CVE-2009-2223     LightOpenCMS-Smarty.php-Local-File-Inclusion
Low     Obsolete Edge browser usage detected     No CVE/CAN Legacy-Chakra-Based-Microsoft-Edge-Usage

Jump to: Detected Attacks System Policies Other Changes

DETECTED ATTACKS

New detected attacks:

TCP MSRPC Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Remote-Registry-Service-Elevation-Of-Privilege-CVE-2024-43532 CVE-2024-43532 MSRPC-TCP_Remote-Registry-Service-Elevation-Of-Privilege-CVE-2024-43532 Suspected Compromise

TCP Client Stream Unknown

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Ivanti-Avalanche-Wlinforailservice-H.Payform-Out-Of-Bounds-Read CVE-2024-36136 Generic_CS-Ivanti-Avalanche-Wlinforailservice-H.Payform-Out-Of-Bounds-Read Potential Compromise

HTTP Request URI

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Ivanti-Cloud-Services-Appliance-Path-Traversal-CVE-2024-8963 CVE-2024-8963 HTTP_CSU-Ivanti-Cloud-Services-Appliance-Path-Traversal-CVE-2024-8963 Suspected Compromise

HTTP Request Header Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type
Low Legacy-Chakra-Based-Microsoft-Edge-Usage No CVE/CAN HTTP_CSH-Legacy-Chakra-Based-Microsoft-Edge-Usage Browsers

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Ivanti-Endpoint-Manager-Getsqlstatement-SQL-Injection CVE-2024-32845 HTTP_CRL-Ivanti-Endpoint-Manager-Getsqlstatement-SQL-Injection Suspected Compromise
High Ivanti-Cloud-Services-Appliance-Command-Injection-CVE-2024-9380 CVE-2024-9380 HTTP_CRL-Ivanti-Cloud-Services-Appliance-Command-Injection-CVE-2024-9380 Suspected Compromise
High Wordpress-The-Events-Calendar-Plugin-Rsvp-Stored-Cross-Site-Scripting CVE-2024-6931 HTTP_CRL-Wordpress-The-Events-Calendar-Plugin-Rsvp-Stored-Cross-Site-Scripting Suspected Compromise

Text File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High LightOpenCMS-Smarty.php-Local-File-Inclusion CVE-2009-2223 File-Text_LightOpenCMS-Smarty.php-Local-File-Inclusion Suspected Compromise

Updated detected attacks:

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Ivanti-Cloud-Services-Appliance-Command-Injection-CVE-2024-8190 CVE-2024-8190 HTTP_CRL-Ivanti-Cloud-Services-Appliance-Command-Injection-CVE-2024-8190 Suspected Compromise
Description has changed

Text File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Malicious-VBScript-Execution No CVE/CAN File-Text_Malicious-VBScript-Execution Potential Compromise
Detection mechanism updated
High HTTP-Ie-Showhelp-Double-Colon-System-Compromise CVE-2003-1041 File-Text_Microsoft-Internet-Explorer-Showhelp-Double-Colon-System-Compromise Potential Compromise
Fingerprint regexp changed

SYSTEM POLICY CHANGES

UPDATED POLICIES:
Name Changes
Certification Policy

LIST OF OTHER CHANGES:

New objects:

Type Name
Category LightOpenCMS
Application ChatGPT
Application OpenAI
Element Ref Application dependency from ChatGPT to OpenAI
Element Ref Application dependency from OpenAI to Contentful

Updated objects:

Type Name Changes
Certificate Authority EuropeanSSL High Assurance Server CA 2
Marked for removal
Certificate Authority EuropeanSSL Server CA 2
Marked for removal
Certificate Authority MarketWare Server CA 2
Marked for removal
Certificate Authority McAfee OV SSL CA 2
Marked for removal
Situation URL_List-DNS-Over-HTTPS
Detection mechanism updated
IPList TOR exit nodes IP Address List
IPList Amazon AMAZON
IPList Amazon EC2
IPList Facebook Servers
IPList TOR relay nodes IP Address List
IPList Apple Servers
IPList Okta IP Address List
IPList Botnet IP Address List
IPList Malicious Site IP Address List
IPList NordVPN Servers IP Address List
IPList Amazon AMAZON eu-central-1
IPList Amazon EC2 eu-central-1
IPList Amazon AMAZON us-east-1
IPList Forcepoint Drop IP Address List
Situation Shared_CS-Reveton
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware Any Hardware removed
Category tag os_not_specific Windows not specific removed
Category tag situation Botnet removed
Category tag group TCP Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation Shared_SS-Reveton
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware Any Hardware removed
Category tag os_not_specific Windows not specific removed
Category tag situation Botnet removed
Category tag group TCP Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Server Traffic removed
Situation HTTP_CSH-Shared-Variables
Situation File-Name_Shared-Variables
Situation Datalength-TCP_Reveton
Category tag situation Obsolete added
Category tag os Windows removed
Category tag hardware Any Hardware removed
Category tag os_not_specific Windows not specific removed
Category tag situation Botnet removed
Category tag group TCP Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Application Facebook
Application Apple
Application TOR
Application Apple-Infrastructure
Application DNS-Over-HTTPS
Application Apple-FaceTime
Application NordVPN

DISCLAIMER AND COPYRIGHT

Copyright © 2024 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.