FortiSwitch rest_admin account exposed under specific conditions

Summary

During an upgrade to version 3.4.1, a FortiSwitch device may let an attacker log in the rest_admin account without a password, if all the conditions below are met:
 
* The FortiSwitch device is in FortiLink managed mode (not the default mode)
* The FortiSwitch device does not have a management FortiGate, or is not authorized on its management FortiGate, or cannot reach its management FortiGate (network connectivity issue)
* The FortiSwicth device was updated to 3.4.1
* The FortiSwitch device was rebooted at least a second time after having been upgraded
 
Note that as soon as a connection between the FortiSwitch and its management FortiGate is established/authorized, the issue is not present.
 
Note that the issue persists if the device is downgraded after having been upgraded to 3.4.1 (under the conditions above).

Affected Products

The following FortiSwitch models may be affected, after an upgrade to 3.4.1:
 
FSW-108D-POE,FSW-124D,FSW-124D-POE
FSW-224D-POE,FSW-224D-FPOE,FSW-248D-POE,FSW-248D-FPOE
FSW-424D,FSW-424D-POE,FSW-424D-FPOE,FSW-448D,FSW-448D-POE,FSW-448D-FPOE
FSW-524D,FSW-524D-FPOE,FSW-548D,FSW-548D-FPOE
FSW-1024D,FSW-1048D
FSW-3032D
FSW-R-112D-POE

Solutions

* FortiSwitch 3.4.1 must be upgraded to 3.4.2.
 
Note: For Customers that have no formal support contract and require access to updated firmware, please contact Customer Services at cs@fortinet.com in the first instance.

Acknowledgement

Fortinet is pleased to thanks Emma Ferguson of The Missing Link Security for reporting a FortiSwitch vulnerability under responsible disclosure.

References

• https://www.themissinglink.com.au/security/advisories/cve-2016-4573