FireEye Red Team Tool Countermeasures by Imperva WAF

By Christopher Detzel posted 12-10-2020 16:16


On December 8th 2020 FireEye
shared details about a cyber attack it experienced to help to protect the community. These details include a prioritized list of CVEs that should be addressed to limit the effectiveness of Fireye’s Red Team tools. The threat research group examined the list and found that all of the web application CVEs are protected by Imperva WAF. 


WAF Protection

CVE-2019-11510 – pre-auth arbitrary file reading from Pulse Secure SSL VPNs - CVSS 10.0

Generic path traversal rules

CVE-2018-13379 – pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN - CVSS 9.8

Generic path traversal rules

CVE-2018-15961 – RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell) - CVSS 9.8

Dedicated rules

CVE-2019-0604 – RCE for Microsoft Sharepoint - CVSS 9.8

Dedicated rules

CVE-2019-11580 - Atlassian Crowd Remote Code Execution - CVSS 9.8

Dedicated rules*

CVE-2019-19781 – RCE of Citrix Application Delivery Controller and Citrix Gateway - CVSS 9.8

Dedicated rules

CVE-2020-10189 – RCE for ZoHo ManageEngine Desktop Central - CVSS 9.8

Generic java deserialization rules

CVE-2019-3398 – Confluence Authenticated Remote Code Execution - CVSS 8.8

Generic path traversal rules

CVE-2020-0688 – Remote Command Execution in Microsoft Exchange - CVSS 8.8

Generic java deserialization rules

CVE-2019-8394 – arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus - CVSS 6.5

Dedicated rules


Imperva threat research group will continue to monitor any new development and update the WAF if necessary.

*On-premise WAF customers should reach out to Imperva support to manually activate a security policy




12-14-2020 20:46


12-11-2020 09:51

@Nikhil Chodankar that is correct. Imperva's Cloud WAF is protecting by default. ​

12-10-2020 22:57

Hi @Christopher Detzel so Incapsula is protecting against these by default right, no need to create separate custom rules for these?​