CVE-2020-24033

Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in fs.com S3900 24T4S switch firmware versions 1.7.0 and earlier. The web interface does not implement any anti-CSRF token or authentication mechanism for form submissions, allowing attackers to craft malicious requests [1][2].

Exploitation

An attacker can trick an authenticated administrator into visiting a malicious page containing a crafted form that submits a request to the switch's web interface (e.g., adding a new user with full privileges). The attacker needs to know the target's IP and lure the admin; no other authentication is required as the session cookies are automatically sent [1][2].

Impact

Successful exploitation allows an attacker to perform any action the administrator can, including creating new users with escalated privileges, deleting existing users, and modifying all settings. This effectively gives full control over the device [1][2].

Mitigation

Upgrade to firmware version 1.7.1 or later, which presumably includes CSRF protections. As of the advisory date, no workarounds are documented for unpatched versions [1][2].