Release notes for update package 1820-5242

This update package improves the detection capabilities of the Forcepoint LLM system.

RELEASE DATE:     Tuesday January 07, 2025
MD5 CHECKSUM:     8eae847d6815b88d008a4cb09b02bf91
SHA1 CHECKSUM:     562dfc8ff0b8f5ed92dd2d799ce965be86693599
SHA256 CHECKSUM:     499c183638396dffa5e5e6a4bdc745f69f57a7a8de8429b9d207d23b127cb1f0


UPDATE CRITICALITY:    HIGH

List of detected attacks in this update package:

Risk level Description Reference Vulnerability
High     An attempt to exploit a vulnerability in CyberPanel detected     CVE-2024-51568     Cyberpanel-Remote-Code-Execution-Via-completePath-Parameter-CVE-2024-51568
High     An attempt to exploit a vulnerability in Jenkins Jenkins detected     CVE-2024-47855     Jenkins-Core-JSON-Lib-Denial-Of-Service
High     An attempt to exploit a vulnerability in Moodle detected     CVE-2024-43425     Moodle-Calculated-Question-Types-Remote-Code-Execution-CVE-2024-43425
High     An attempt to exploit a vulnerability in Microsoft Windows Server detected     CVE-2024-38073     Microsoft-Windows-Rdl-Service-Tlsrpcchallengeserver-Handling-Two-Vulnerabilities
High     An attempt to exploit a vulnerability in RoundCube Webmail detected     CVE-2023-43770     Roundcube-Webmail-Linkref-Cross-Site-Scripting-CVE-2023-43770
Low     Request to a deprecated Airflow Experimental API detected     CVE-2020-13927     Apache-Airflow-Experimental-API-Authentication-Bypass-CVE-2020-13927

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Jenkins-Core-JSON-Lib-Denial-Of-Service CVE-2024-47855 HTTP_CS-Jenkins-Core-JSON-Lib-Denial-Of-Service Suspected Compromise

HTTP Request URI

Risk Vulnerability/Situation References Related Fingerprint Situation Type
Low Apache-Airflow-Experimental-API-Authentication-Bypass-CVE-2020-13927 CVE-2020-13927 HTTP_CSU-Apache-Airflow-Experimental-API-Request Possibly Unwanted Content

MSRPC Client Payload Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Microsoft-Windows-Rdl-Service-Tlsrpcchallengeserver-Handling-Two-Vulnerabilities CVE-2024-38073 MSRPC-TCP_CPS-Microsoft-Windows-Rdl-Service-Tlsrpcchallengeserver-Handling-Two-Vulnerabilities Suspected Compromise

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Cyberpanel-Remote-Code-Execution-Via-completePath-Parameter-CVE-2024-51568 CVE-2024-51568 HTTP_CRL-Cyberpanel-Remote-Code-Execution-Via-completePath-Parameter-CVE-2024-51568 Suspected Compromise
High Moodle-Calculated-Question-Types-Remote-Code-Execution-CVE-2024-43425 CVE-2024-43425 HTTP_CRL-Moodle-Calculated-Question-Types-Remote-Code-Execution-CVE-2024-43425 Suspected Compromise

Text File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Roundcube-Webmail-Linkref-Cross-Site-Scripting-CVE-2023-43770 CVE-2023-43770 File-Text_Roundcube-Webmail-Linkref-Cross-Site-Scripting-CVE-2023-43770 Potential Compromise

Updated detected attacks:

HTTP Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Cyberpanel-Remote-Code-Execution-CVE-2024-51567 CVE-2024-51567 HTTP_CS-Cyberpanel-Remote-Code-Execution-CVE-2024-51567 Suspected Compromise
Fingerprint regexp changed

SMTP Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Dovecot-Rfc822_Parse_Domain-Out-Of-Bounds-Read CVE-2017-14461 SMTP_CS-Dovecot-Rfc822_Parse_Domain-Out-Of-Bounds-Read Suspected Compromise
Fingerprint regexp changed
Critical OpenSMTPD_Command-Injection_CVE-2020-7247 CVE-2020-7247 SMTP_CS-OpenSMTPD-Command-Injection-CVE-2020-7247 Compromise
Name: SMTP_CS-OpenSMTPD_Command-Injection_CVE-2020-7247->SMTP_CS-OpenSMTPD-Command-Injection-CVE-2020-7247
Fingerprint regexp changed

HTTP Request URI

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High NetGear-R7000-And-R6400-Cgi-Bin-Command-Injection CVE-2016-6277 HTTP_CSU-Cgi-Bin-Command-Injection Suspected Compromise
Fingerprint regexp changed
High D-Link-DSL-2750B-Command-Injection CVE-2016-20017 HTTP_CSU-D-Link-DSL-2750B-Command-Injection Suspected Compromise
Fingerprint regexp changed
High Ray-OS-Command-Injection-Via-Format-Parameter-CVE-2023-6019 CVE-2023-6019 HTTP_CSU-Ray-OS-Command-Injection-Via-Format-Parameter-CVE-2023-6019 Suspected Compromise
Fingerprint regexp changed

HTTP Request Header Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
Critical HTTP-WWW-File-Share-Pro-Directory-Traversal CVE-2004-0059 HTTP_CSH-File-Name-Directory-Traversal Compromise
Fingerprint regexp changed
High D-Link-HNAP-SOAPAction-Header-Command-Execution CVE-2015-2051 HTTP_CSH-D-Link-HNAP-SOAPAction-Header-Command-Execution Suspected Compromise
Fingerprint regexp changed

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Geutebruck-Multiple-RCE-CVE-2021-335xx CVE-2021-33543 HTTP_CRL-Geutebruck-Multiple-RCE-CVE-2021-335xx Suspected Compromise
Fingerprint regexp changed
High Roundcube-Webmail-RCE-Via-Config-Setting-CVE-2020-12641 CVE-2020-12641 HTTP_CRL-Roundcube-Webmail-ECE-Via-Config-Setting-CVE-2020-12641 Suspected Compromise
Fingerprint regexp changed
High LG-N1A1-NAS-Remote-Command-Execution-CVE-2018-14839 CVE-2018-14839 HTTP_CRL-LG-N1A1-NAS-Remote-Command-Execution-CVE-2018-14839 Suspected Compromise
Fingerprint regexp changed
High Sunhillo-Sureline-Command-Injection-CVE-2021-36380 CVE-2021-36380 HTTP_CRL-Sunhillo-Sureline-Command-Injection-CVE-2021-36380 Suspected Compromise
Fingerprint regexp changed
High Korenix-Jetwave-Command-Injection-CVE-2023-23294 CVE-2023-23294 HTTP_CRL-Korenix-Jetwave-Command-Injection-CVE-2023-23294 Suspected Compromise
Fingerprint regexp changed
High VMware-SD-WAN-Edge-Command-Injection-Vulnerability-CVE-2018-6961 CVE-2018-6961 HTTP_CRL-VMware-SD-WAN-Edge-Command-Injection-Vulnerability-CVE-2018-6961 Suspected Compromise
Fingerprint regexp changed
High Netgate-Pfsense-Command-Injection-CVE-2023-42326 CVE-2023-42326 HTTP_CRL-Netgate-Pfsense-Command-Injection-CVE-2023-42326 Suspected Compromise
Fingerprint regexp changed
High FXC-AE1021PE-Router-Command-Injection-CVE-2023-49897 CVE-2023-49897 HTTP_CRL-FXC-AE1021PE-Router-Command-Injection-CVE-2023-49897 Suspected Compromise
Fingerprint regexp changed
High LB-Link-Command-Injection-CVE-2023-26801 CVE-2023-26801 HTTP_CRL-LB-Link-Command-Injection-CVE-2023-26801 Suspected Compromise
Fingerprint regexp changed
High Avtech-IP-Camera-AVM1203-Command-Injection-CVE-2024-7029 CVE-2024-7029 HTTP_CRL-Avtech-IP-Camera-AVM1203-Command-Injection-CVE-2024-7029 Suspected Compromise
Fingerprint regexp changed
High Avtech-IP-Camera-Multiple-Command-Injection-Vulnerabilities No CVE/CAN HTTP_CRL-Avtech-IP-Camera-Multiple-Command-Injection-Vulnerabilities Suspected Compromise
Fingerprint regexp changed
High Palo-Alto-Expedition-OS-Command-Injection-CVE-2024-9464 CVE-2024-9464 HTTP_CRL-Palo-Alto-Expedition-OS-Command-Injection-CVE-2024-9464 Suspected Compromise
Fingerprint regexp changed
High VHD-PTZ-Camera-Firmware-Command-Injection-CVE-2024-8957 CVE-2024-8957 HTTP_CRL-VHD-PTZ-Camera-Firmware-Command-Injection-CVE-2024-8957 Suspected Compromise
Fingerprint regexp changed
High Palo-Alto-SSLVPN-Command-Execution-CVE-2024-9474 CVE-2024-9474 HTTP_CRL-Palo-Alto-SSLVPN-Command-Execution-CVE-2024-9474 Suspected Compromise
Fingerprint regexp changed
High LibreNMS-Authenticated-Command-Injection-CVE-2024-51092 CVE-2024-51092 HTTP_CRL-LibreNMS-Authenticated-Command-Injection-CVE-2024-51092 Suspected Compromise
Fingerprint regexp changed
High Digiever-DS2105-Pro-Remote-Code-Execution No CVE/CAN HTTP_CRL-Digiever-DS2105-Pro-Remote-Code-Execution Suspected Compromise
Fingerprint regexp changed
High Teltonika-RUT9XX-Router-OS-Command-Injection-CVE-2018-17532 CVE-2018-17532 HTTP_CRL-Teltonika-RUT9XX-Router-OS-Command-Injection-CVE-2018-17532 Suspected Compromise
Fingerprint regexp changed
High Four-Faith-Routers-F3x24-F3x36-Remote-Command-Injection-CVE-2024-12856 CVE-2024-12856 HTTP_CRL-Four-Faith-Routers-F3x24-F3x36-Remote-Command-Injection-CVE-2024-12856 Suspected Compromise
Fingerprint regexp changed
High Ivanti-Connect-Secure-Authenticated-Crlf-Injection-CVE-2024-37404 CVE-2024-37404 HTTP_CRL-Ivanti-Connect-Secure-Authenticated-Crlf-Injection-CVE-2024-37404 Suspected Compromise
Detection mechanism updated
High D-Link-TRENDnet-NCC-Service-Command-Injection CVE-2015-1187 HTTP_CRL-D-Link-TRENDnet-NCC-Service-Command-Injection Suspected Compromise
Fingerprint regexp changed
High Pfsense-Post-Auth-Group-Member-Command-Execution No CVE/CAN HTTP_CRL-Pfsense-Post-Auth-Group-Member-Command-Execution Suspected Compromise
Fingerprint regexp changed
High PAN-OS-GlobalProtect-Remote-Code-Execution-CVE-2019-1579 CVE-2019-1579 HTTP_CRL-PAN-OS-GlobalProtect-Remote-Code-Execution-CVE-2019-1579 Suspected Compromise
Fingerprint regexp changed

Text File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Suspicious-Jsp-File-Upload No CVE/CAN File-Text_Suspicious-Jsp-File-Upload Suspected Compromise
Fingerprint regexp changed

LIST OF OTHER CHANGES:

Updated objects:

Type Name Changes
IPList TOR exit nodes IP Address List
IPList Akamai Servers
IPList TOR relay nodes IP Address List
IPList Malicious Site IP Address List
IPList NordVPN Servers IP Address List
Situation HTTP_CSU-Shared-Variables
Situation HTTP_CS-Cyberpanel-Incorrect-Default-Permissions-Vulnerability
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application CyberPanel removed
Category tag group CVE2024 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Potential Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation HTTP_CS-Shared-Variables-For-Client-Stream-Context
Fingerprint regexp changed
Situation E-Mail_HCS-Shared-Variables
Fingerprint regexp changed
Situation File-Text_Shared-Variables
Fingerprint regexp changed
Application Akamai-Infrastructure
Application TOR
Application Manoto
Application NordVPN

DISCLAIMER AND COPYRIGHT

Copyright © 2025 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.