CVE-2016-4573 in FortiSwitch FSW
Summary
by MITRE
Fortinet FortiSwitch FSW-108D-POE, FSW-124D, FSW-124D-POE, FSW-224D-POE, FSW-224D-FPOE, FSW-248D-POE, FSW-248D-FPOE, FSW-424D, FSW-424D-POE, FSW-424D-FPOE, FSW-448D, FSW-448D-POE, FSW-448D-FPOE, FSW-524D, FSW-524D-FPOE, FSW-548D, FSW-548D-FPOE, FSW-1024D, FSW-1048D, FSW-3032D, and FSW-R-112D-POE models, when in FortiLink managed mode and upgraded to 3.4.1, might allow remote attackers to bypass authentication and gain administrative access via an empty password for the rest_admin account.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/13/2019
The vulnerability identified as CVE-2016-4573 affects a range of Fortinet FortiSwitch network devices including models such as FSW-108D-POE, FSW-124D, FSW-224D-POE, and numerous others within the FortiSwitch product line. These devices operate in FortiLink managed mode and become vulnerable when upgraded to firmware version 3.4.1. The flaw represents a critical authentication bypass vulnerability that could allow remote attackers to gain full administrative privileges on affected network infrastructure. This vulnerability specifically targets the rest_admin account, which serves as a critical administrative interface for managing the switch operations through REST API calls.
The technical implementation of this vulnerability stems from improper validation of authentication credentials within the device's management interface. When the affected FortiSwitch models are configured in FortiLink managed mode and updated to version 3.4.1, the system fails to properly enforce password requirements for the rest_admin account. This creates a condition where an attacker can authenticate using an empty password, effectively bypassing the normal authentication mechanisms that should require valid credentials. The vulnerability exists in the authentication subsystem that handles REST API requests, allowing unauthorized access to administrative functions through the network interface.
The operational impact of this vulnerability is severe and far-reaching for organizations relying on FortiSwitch devices for network infrastructure management. Remote attackers who can reach the affected devices over the network can gain complete administrative control without needing legitimate credentials, potentially leading to full network compromise. This vulnerability undermines the fundamental security posture of the network infrastructure, as it allows attackers to modify switch configurations, access network traffic, implement man-in-the-middle attacks, and potentially establish persistent access points within the network. The impact extends beyond individual device compromise to affect entire network segments that depend on these switches for connectivity and security enforcement.
Organizations should immediately implement mitigation strategies including disabling unused network interfaces, restricting network access to management ports through firewall rules, and applying the latest firmware updates from Fortinet that address this specific vulnerability. The recommended remediation involves upgrading to firmware versions that properly validate authentication credentials for the rest_admin account and implement proper password requirements. Network segmentation should be implemented to isolate management interfaces from general network traffic, and access controls should be configured to limit administrative access to trusted networks only. This vulnerability aligns with CWE-287, which addresses improper authentication issues, and represents a significant concern under ATT&CK technique T1078 for valid accounts and T1566 for phishing attacks that could leverage such authentication bypasses. The vulnerability also demonstrates the importance of proper credential management and the risks associated with default or empty credentials in network infrastructure devices.