FortiSwitch rest_admin account exposed under specific conditions Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-16-011 Final 1 1 2016-07-11T00:00:00 Current version 2016-07-11T00:00:00 2016-07-11T00:00:00 During an upgrade to version 3.4.1, a FortiSwitch device may let an attacker log in the rest_admin account without a password, if all the conditions below are met:  * The FortiSwitch device is in FortiLink managed mode (not the default mode) * The FortiSwitch device does not have a management FortiGate, or is not authorized on its management FortiGate, or cannot reach its management FortiGate (network connectivity issue) * The FortiSwicth device was updated to 3.4.1 * The FortiSwitch device was rebooted at least a second time after having been upgraded Note that as soon as a connection between the FortiSwitch and its management FortiGate is established/authorized, the issue is not present.  Note that the issue persists if the device is downgraded after having been upgraded to 3.4.1 (under the conditions above). Remote administrative access The following FortiSwitch models may be affected, after an upgrade to 3.4.1:  FSW-108D-POE,FSW-124D,FSW-124D-POE FSW-224D-POE,FSW-224D-FPOE,FSW-248D-POE,FSW-248D-FPOE FSW-424D,FSW-424D-POE,FSW-424D-FPOE,FSW-448D,FSW-448D-POE,FSW-448D-FPOE FSW-524D,FSW-524D-FPOE,FSW-548D,FSW-548D-FPOE FSW-1024D,FSW-1048D FSW-3032D FSW-R-112D-POE * FortiSwitch 3.4.1 must be upgraded to 3.4.2.  Note: For Customers that have no formal support contract and require access to updated firmware, please contact Customer Services at cs@fortinet.com in the first instance. https://fortiguard.fortinet.com/psirt/FG-IR-16-011 FortiSwitch rest_admin account exposed under specific conditions https://www.themissinglink.com.au/security/advisories/cve-2016-4573 https://www.themissinglink.com.au/security/advisories/cve-2016-4573 Fortinet is pleased to thanks Emma Ferguson of The Missing Link Security for reporting a FortiSwitch vulnerability under responsible disclosure. CVE-2016-4573 https://fortiguard.fortinet.com/psirt/FG-IR-16-011 FortiSwitch rest_admin account exposed under specific conditions Reference> https://www.themissinglink.com.au/security/advisories/cve-2016-4573 https://www.themissinglink.com.au/security/advisories/cve-2016-4573