CVE-2024-31905 is a medium severity vulnerability affecting IBM QRadar Network Packet Capture version 7.5. The issue arises from the failure to properly enable HTTP Strict Transport Security (HSTS), a security mechanism that enforces the use of HTTPS connections and prevents downgrade attacks and cookie hijacking. Without HSTS, the application allows HTTP connections that transmit sensitive information in cleartext over the network. This flaw enables a remote attacker to perform man-in-the-middle (MitM) attacks, intercepting and capturing sensitive data exchanged between clients and the QRadar Network Packet Capture system. The vulnerability is classified under CWE-319, which pertains to the cleartext transmission of sensitive information. The CVSS v3.1 base score is 5.9, reflecting a medium severity level, with an attack vector of network (remote), high attack complexity, no privileges required, and no user interaction needed. The impact primarily affects confidentiality, as sensitive data can be exposed, but does not affect integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability emphasizes the importance of enforcing secure transport protocols and proper security headers to protect sensitive network monitoring data from interception.

For European organizations using IBM QRadar Network Packet Capture 7.5, this vulnerability poses a significant risk to the confidentiality of sensitive network traffic data. QRadar is widely used for security monitoring and incident response, often handling critical security logs and packet captures that may contain personally identifiable information (PII), intellectual property, or other sensitive operational data. Exposure of such data through MitM attacks could lead to information leakage, regulatory non-compliance (e.g., GDPR violations), and potential reputational damage. Since the vulnerability does not require authentication or user interaction, attackers can exploit it remotely if they can position themselves on the network path, such as within compromised internal networks or through malicious Wi-Fi access points. This risk is heightened in environments with insufficient network segmentation or where encrypted channels are not strictly enforced. The vulnerability does not impact system integrity or availability directly but undermines trust in the confidentiality of security monitoring infrastructure, which could indirectly affect incident detection and response capabilities.

European organizations should immediately verify whether they are running IBM QRadar Network Packet Capture version 7.5 and assess exposure to this vulnerability. Specific mitigation steps include: 1) Enforce HTTPS-only access to the QRadar Network Packet Capture interface by enabling HTTP Strict Transport Security (HSTS) headers correctly in the web server configuration. 2) Restrict network access to the QRadar management interfaces to trusted, internal networks and use VPNs or secure tunnels for remote access. 3) Implement network segmentation and monitoring to detect and prevent MitM attack vectors within the corporate network. 4) Regularly audit and update QRadar deployments to the latest versions once IBM releases patches or security updates addressing this vulnerability. 5) Employ TLS inspection and certificate pinning where feasible to ensure encrypted traffic integrity. 6) Educate security teams about the risks of cleartext transmission and monitor network traffic for suspicious activities indicative of MitM attempts. These targeted actions go beyond generic advice by focusing on configuration hardening, network controls, and proactive monitoring specific to this vulnerability.