CVE-2024-1509

Name of the Vulnerable Software and Affected Versions Brocade ASCG versions prior to 3.2.0

Description The issue concerns the lack of HTTP Strict Transport Security (HSTS) enforcement in the web interface, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The absence of HSTS allows for downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.

Recommendations For Brocade ASCG versions prior to 3.2.0, update to version 3.2.0 or later to enforce HSTS and mitigate the risk of downgrade attacks and SSL-stripping man-in-the-middle attacks. As a temporary workaround, consider configuring the server to instruct the browser to only communicate via HTTPS until a patch is available.