Broadcom RAID Controller web interface is vulnerable due to insecure defaults of lacking HTTP strict-transport-security policy
CVE-2023-4342

9.8CRITICAL

Key Information:

Vendor: Broadcom
Status: Lsi Storage Authority (lsa); Raid Web Console 3 (rwc3)
Vendor: CVE Published:; 15 August 2023

Summary

The Broadcom RAID Controller web interface exhibits a vulnerability due to insecure default configurations. It lacks an HTTP strict-transport-security policy, which can expose it to various security risks. This oversight can potentially allow attackers to intercept data or perform man-in-the-middle attacks. Users are advised to review their configurations and implement recommended security practices to safeguard their systems.

Affected Version(s)

LSI Storage Authority (LSA) 0

RAID Web Console 3 (RWC3) 0 < 7.017.011.000

References

https://www.broadcom.com/support/resources/product-securi...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 15, 2023
Vulnerability Reserved
Aug 14, 2023

Credit

Intel DCG