CVE-2024-1509

CVE-2024-1509 is a high-severity vulnerability (CVSS 9.1, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) affecting the Brocade ASCG Web Interface in versions prior to 3.2.0. The issue stems from the web interface not enforcing HTTP Strict Transport Security (HSTS) as defined by RFC 6797. HSTS is an optional response header that instructs browsers to communicate only via HTTPS, and its absence exposes the interface to risks such as protocol downgrades and weakened security controls.

Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges or user interaction. A network-based adversary positioned for man-in-the-middle (MITM) attacks can perform SSL-stripping to downgrade HTTPS connections to HTTP, enabling traffic interception. This also facilitates downgrade attacks and reduces protections against cookie hijacking, potentially leading to high confidentiality and integrity impacts such as unauthorized access to sensitive data or session takeover.

The Broadcom security advisory recommends upgrading to Brocade ASCG version 3.2.0 or later to mitigate the vulnerability by enabling proper HSTS enforcement. Additional details are available in the advisory at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25428. The issue is associated with CWE-523 (Insufficiently Protected Credentials).