Release notes for update package 1802-5242

This update package improves the detection capabilities of the Forcepoint LLM system.

RELEASE DATE:	Thursday November 21, 2024
MD5 CHECKSUM:	0a0d97a2ee9325a49c758d7ed1778bd9
SHA1 CHECKSUM:	a4f1b1c108a4140982711290d7bc33fbdb36eb00
SHA256 CHECKSUM:	b5cb90b0f32c1f398ae7a4260f69bf02209dd40453f9ef04ca6788ea7b1b25f9

UPDATE CRITICALITY: HIGH

List of detected attacks in this update package:

Risk level	Description	Reference	Vulnerability
High	An attempt to exploit a vulnerability in Pyload detected	CVE-2024-39205	pyLoad-RCE-With-js2py-Sandbox-Escape
High	An attempt to exploit a vulnerability in a Palo Alto appliance	CVE-2024-9474	Palo-Alto-SSLVPN-Command-Execution-CVE-2024-9474
High	An attempt to exploit a vulnerability in a Palo Alto appliance	CVE-2024-0012	Palo-Alto-SSLVPN-Authentication-Bypass
High	A malicious internet shortcut file was detected	No CVE/CAN	Malicious-Internet-Shortcut-File
Low	A possibly malicious internet shortcut file was detected	No CVE/CAN	Malicious-Internet-Shortcut-File
Low	A possibly malicious internet shortcut file was detected	No CVE/CAN	Malicious-Internet-Shortcut-File

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Client Stream

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	pyLoad-RCE-With-js2py-Sandbox-Escape	CVE-2024-39205	HTTP_CS-pyLoad-RCE-With-js2py-Sandbox-Escape	Suspected Compromise

HTTP Request Header Line

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	Palo-Alto-SSLVPN-Authentication-Bypass	CVE-2024-0012	HTTP_CSH-Palo-Alto-SSLVPN-Authentication-Bypass	Suspected Compromise

HTTP Normalized Request-Line

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	Palo-Alto-SSLVPN-Command-Execution-CVE-2024-9474	CVE-2024-9474	HTTP_CRL-Palo-Alto-SSLVPN-Command-Execution-CVE-2024-9474	Suspected Compromise

Text File Stream

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
Low	Malicious-Internet-Shortcut-File	No CVE/CAN	File-Text_Possibly-Malicious-Internet-Shortcut-File	Other Suspicious Traffic

Identified Text File Stream

Risk	Vulnerability/Situation	References	Related Fingerprint	Situation Type
High	Malicious-Internet-Shortcut-File	No CVE/CAN	File-TextId_Malicious-Internet-Shortcut-File	Spyware, Malware and Adware
Low	Malicious-Internet-Shortcut-File	No CVE/CAN	File-TextId_Possibly-Malicious-Internet-Shortcut-File	Other Suspicious Traffic

Updated detected attacks:

HTTP Client Stream

Risk

Vulnerability/Situation

References

Related Fingerprint

Situation Type

Change Description

High

Quest-NetVault-Backup-Multipart-Request-Part-Header-Stack-Buffer-Overflow

CVE-2018-1161

HTTP_CS-Quest-NetVault-Backup-Multipart-Request-Part-Header-Stack-Buffer-Overflow

Potential Compromise

Category tag situation Potential Compromise added

Category tag situation Suspected Compromise removed

Fingerprint regexp changed

TCP Client Stream Unknown

Risk

Vulnerability/Situation

References

Related Fingerprint

Situation Type

Change Description

High

Ivanti-Avalanche-Wlavalancheservice.exe-Type-101-102-Null-Pointer-Dereference

CVE-2024-47007

Generic_CS-Ivanti-Avalanche-Wlavalancheservice.exe-Type-101-102-Null-Pointer-Dereference

Suspected Compromise

Description has changed

HTTP Normalized Request-Line

Risk

Vulnerability/Situation

References

Related Fingerprint

Situation Type

Change Description

High

Junos-OS-J-Web-Arbitrary-File-Upload-CVE-2023-36846

CVE-2023-36846

HTTP_CRL-Junos-OS-J-Web-Arbitrary-File-Upload-PHP-External-Variable-Modification

Suspected Compromise

Name: HTTP_CRL-Junos-OS-J-Web-Arbitrary-File-Upload-CVE-2023-36846->HTTP_CRL-Junos-OS-J-Web-Arbitrary-File-Upload-PHP-External-Variable-Modification

Description has changed

SMB Client Header Stream

Risk

Vulnerability/Situation

References

Related Fingerprint

Situation Type

Change Description

High

Windows-SMB-Denial-Of-Service-Vulnerability-CVE-2024-43642

CVE-2024-43642

SMB-TCP_CHS-Windows-SMB-Denial-Of-Service-Vulnerability-CVE-2024-43642

Potential Compromise

Detection mechanism updated

Text File Stream

Risk

Vulnerability/Situation

References

Related Fingerprint

Situation Type

Change Description

High

Malicious-Internet-Shortcut-File

No CVE/CAN

File-Text_Malicious-Internet-Shortcut-File

Spyware, Malware and Adware

Comment has changed

Fingerprint regexp changed

LIST OF OTHER CHANGES:

New objects:

Type	Name
Category	Palo Alto SSLVPN Appliance

Updated objects:

Type

Name

Changes

Situation

File_Malware-MD5

Detection mechanism updated

IPList

Somalia

IPList

Yemen

IPList

Iraq

IPList

Saudi Arabia

IPList

Iran

IPList

Cyprus

IPList

Tanzania

IPList

Armenia

IPList

Kenya

IPList

Uganda

IPList

Seychelles

IPList

Jordan

IPList

Lebanon

IPList

Oman

IPList

Qatar

IPList

Bahrain

IPList

United Arab Emirates

IPList

Israel

IPList

Türkiye

IPList

Egypt

IPList

Greece

IPList

Burundi

IPList

Estonia

IPList

Latvia

IPList

Azerbaijan

IPList

Lithuania

IPList

Moldova

IPList

Belarus

IPList

Finland

IPList

Ukraine

IPList

North Macedonia

IPList

Hungary

IPList

Bulgaria

IPList

Albania

IPList

Poland

IPList

Romania

IPList

Zimbabwe

IPList

Mauritius

IPList

Eswatini

IPList

Réunion

IPList

South Africa

IPList

Mayotte

IPList

Afghanistan

IPList

Pakistan

IPList

Bangladesh

IPList

Sri Lanka

IPList

India

IPList

Maldives

IPList

Nepal

IPList

Myanmar

IPList

Uzbekistan

IPList

Kazakhstan

IPList

Kyrgyzstan

IPList

Vietnam

IPList

Thailand

IPList

Indonesia

IPList

Taiwan

IPList

Philippines

IPList

Malaysia

IPList

China

IPList

Hong Kong

IPList

Brunei

IPList

Macao

IPList

South Korea

IPList

Japan

IPList

Singapore

IPList

Russia

IPList

Mongolia

IPList

Australia

IPList

Christmas Island

IPList

Papua New Guinea

IPList

Vanuatu

IPList

New Zealand

IPList

Fiji

IPList

Libya

IPList

Cameroon

IPList

Senegal

IPList

Portugal

IPList

Ivory Coast

IPList

Nigeria

IPList

Sierra Leone

IPList

Niger

IPList

Spain

IPList

Morocco

IPList

Denmark

IPList

United Kingdom

IPList

Switzerland

IPList

Sweden

IPList

The Netherlands

IPList

Austria

IPList

Belgium

IPList

Germany

IPList

Luxembourg

IPList

Ireland

IPList

France

IPList

Andorra

IPList

Jersey

IPList

Guernsey

IPList

Slovakia

IPList

Czechia

IPList

Norway

IPList

Vatican City

IPList

Italy

IPList

Slovenia

IPList

Montenegro

IPList

Croatia

IPList

Bosnia and Herzegovina

IPList

Barbados

IPList

French Guiana

IPList

Paraguay

IPList

Brazil

IPList

Jamaica

IPList

Dominican Republic

IPList

Martinique

IPList

Bahamas

IPList

Anguilla

IPList

Trinidad and Tobago

IPList

Antigua and Barbuda

IPList

Turks and Caicos Islands

IPList

Aruba

IPList

Saint Martin

IPList

Guadeloupe

IPList

Belize

IPList

El Salvador

IPList

Guatemala

IPList

Honduras

IPList

Costa Rica

IPList

Venezuela

IPList

Colombia

IPList

Argentina

IPList

Chile

IPList

Peru

IPList

Mexico

IPList

Northern Mariana Islands

IPList

Guam

IPList

Puerto Rico

IPList

U.S. Virgin Islands

IPList

American Samoa

IPList

Canada

IPList

United States

IPList

Serbia

IPList

Antarctica

IPList

TOR exit nodes IP Address List

IPList

Amazon AMAZON

IPList

Amazon EC2

IPList

Akamai Servers

IPList

Microsoft Azure datacenter for australiaeast

IPList

TOR relay nodes IP Address List

IPList

Microsoft Azure datacenter for centralindia

IPList

Microsoft Azure datacenter for eastus2euap

IPList

Microsoft Azure datacenter for eastus2

IPList

Microsoft Azure datacenter for eastus

IPList

Microsoft Azure datacenter for southeastasia

IPList

Microsoft Azure datacenter for westeurope

IPList

Microsoft Azure datacenter for westus2

IPList

Microsoft Azure datacenter

IPList

Botnet IP Address List

IPList

Malicious Site IP Address List

IPList

Microsoft Azure datacenter for malaysiasouth

IPList

NordVPN Servers IP Address List

IPList

Forcepoint Drop IP Address List

IPList

Amazon AMAZON us-gov-west-1

IPList

Amazon EC2 us-gov-west-1

IPList

Microsoft Azure datacenter for uaenorth

IPList

GitHub Actions IP Address List

IPList

Microsoft Azure service for AzureCloud

IPList

Microsoft Azure service for AzureCosmosDB

IPList

Amazon AMAZON ap-southeast-7

IPList

Microsoft Azure service for AzureResourceManager

IPList

Microsoft Azure service for AzureTrafficManager

IPList

Microsoft Azure service for DataFactory

IPList

Microsoft Azure service for DataFactoryManagement

IPList

Microsoft Azure datacenter for italynorth

IPList

Microsoft Azure datacenter for newzealandnorth

IPList

Microsoft Azure datacenter for polandcentral

IPList

Microsoft Azure datacenter for spaincentral

Situation

File-Text_Internet-Shortcut-File-Transfer

Fingerprint regexp changed

Situation

HTTP_CRL-Suspicious-Parameter-Value

Fingerprint regexp changed

Situation

HTTPS_CS-Apache-Ssl-DoS-With-Plain-HTTP-Request

Description has changed

Attacker: connection_source->none

Victim: connection_destination->none

Category tag situation Obsolete added

Category tag os OS X removed

Category tag os Linux removed

Category tag hardware Any Hardware removed

Category tag application Apache removed

Category tag group CVE2004 removed

Category tag os_not_specific OS X not specific removed

Category tag os_not_specific Linux not specific removed

Category tag application_not_specific Apache not specific removed

Category tag situation Potential Denial of Service removed

Category tag group TCP Client Traffic removed

Fingerprint regexp changed

Situation

File-TextId_Internet-Shortcut-File-Transfer

Fingerprint regexp changed

Application

Application Port "udp/3480 tls: no" added

Application Port "udp/3484 tls: no" added

Application

Online-Certificate-Status-Protocol

Application detection context content changed

Application

Akamai-Infrastructure

Application

TOR

Application

Manoto

Application

Certificate-Revocation-List-Service

Application detection context content changed

Application

NordVPN

DISCLAIMER AND COPYRIGHT

Copyright © 2024 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.