FortiSwitch rest_admin account exposed under specific conditions
Summary
During an upgrade to version 3.4.1, a FortiSwitch device may let an attacker
log in the rest_admin account without a password, if all the conditions below
are met:
Â
* The FortiSwitch device is in FortiLink managed mode (not the default mode)
* The FortiSwitch device does not have a management FortiGate, or is not
authorized on its management FortiGate, or cannot reach its management
FortiGate (network connectivity issue)
* The FortiSwicth device was updated to 3.4.1
* The FortiSwitch device was rebooted at least a second time after having been
upgraded
Â
Note that as soon as a connection between the FortiSwitch and its management
FortiGate is established/authorized, the issue is not present.
Â
Note that the issue persists if the device is downgraded after having been
upgraded to 3.4.1 (under the conditions above).
Affected Products
The following FortiSwitch models may be affected, after an upgrade to 3.4.1:
Â
FSW-108D-POE,FSW-124D,FSW-124D-POE
FSW-224D-POE,FSW-224D-FPOE,FSW-248D-POE,FSW-248D-FPOE
FSW-424D,FSW-424D-POE,FSW-424D-FPOE,FSW-448D,FSW-448D-POE,FSW-448D-FPOE
FSW-524D,FSW-524D-FPOE,FSW-548D,FSW-548D-FPOE
FSW-1024D,FSW-1048D
FSW-3032D
FSW-R-112D-POE
Solutions
* FortiSwitch 3.4.1 must be upgraded to 3.4.2.
Â
Note: For Customers that have no formal support contract and require access to
updated firmware, please contact Customer Services at cs@fortinet.com in the
first instance.
Acknowledgement
Fortinet is pleased to thanks Emma Ferguson of The Missing Link Security for reporting a FortiSwitch vulnerability under responsible disclosure.