FortiSwitch rest_admin account exposed under specific conditions


During an upgrade to version 3.4.1, a FortiSwitch device may let an attacker log in the rest_admin account without a password, if all the conditions below are met:
* The FortiSwitch device is in FortiLink managed mode (not the default mode)
* The FortiSwitch device does not have a management FortiGate, or is not authorized on its management FortiGate, or cannot reach its management FortiGate (network connectivity issue)
* The FortiSwicth device was updated to 3.4.1
* The FortiSwitch device was rebooted at least a second time after having been upgraded
Note that as soon as a connection between the FortiSwitch and its management FortiGate is established/authorized, the issue is not present.
Note that the issue persists if the device is downgraded after having been upgraded to 3.4.1 (under the conditions above).

Affected Products

The following FortiSwitch models may be affected, after an upgrade to 3.4.1:


* FortiSwitch 3.4.1 must be upgraded to 3.4.2.
Note: For Customers that have no formal support contract and require access to updated firmware, please contact Customer Services at in the first instance.


Fortinet is pleased to thanks Emma Ferguson of The Missing Link Security for reporting a FortiSwitch vulnerability under responsible disclosure.