CVE-2023-43118
📋 TL;DR
A Cross-Site Request Forgery (CSRF) vulnerability in the Chalet application of Extreme Networks Switch Engine (EXOS) allows attackers to execute arbitrary code via the /jsonrpc API. This affects organizations using EXOS versions before 32.5.1.5, excluding those already on patched versions 31.7.2 or 32.5.1.5. Attackers can exploit this to compromise network switches and potentially gain control over network infrastructure.
💻 Affected Systems
- Extreme Networks Switch Engine (EXOS)
📦 What is this software?
Exos by Extremenetworks
Exos by Extremenetworks
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of network switches leading to network disruption, data interception, lateral movement to other systems, and persistent backdoor installation.
Likely Case
Unauthorized configuration changes, service disruption, credential theft, and installation of malicious scripts on affected switches.
If Mitigated
Limited impact with proper network segmentation, CSRF protections, and access controls preventing exploitation attempts.
🎯 Exploit Status
Exploitation requires the attacker to trick an authenticated user into visiting a malicious webpage. The vulnerability is in the JSON-RPC API which typically handles privileged operations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 31.7.2 or 32.5.1.5
Vendor Advisory: https://extreme-networks.my.site.com/ExtrArticleDetail?an=000114379
Restart Required: Yes
Instructions:
1. Download the appropriate firmware version (31.7.2 or 32.5.1.5) from Extreme Networks support portal. 2. Backup current configuration. 3. Upload and install the new firmware via CLI or web interface. 4. Reboot the switch. 5. Verify the firmware version post-upgrade.
🔧 Temporary Workarounds
Disable Chalet Application
allTemporarily disable the vulnerable Chalet application if not required for operations
disable application chalet
Restrict API Access
allImplement network access controls to limit access to the /jsonrpc API endpoint
configure access-list name BLOCK_JSONRPC deny tcp any any eq 443
apply access-list BLOCK_JSONRPC to interface management
🧯 If You Can't Patch
- Implement strict network segmentation to isolate management interfaces from untrusted networks
- Deploy CSRF tokens and SameSite cookie attributes for all web management sessions
🔍 How to Verify
Check if Vulnerable:
Check EXOS firmware version using 'show version' command. If version is earlier than 31.7.2 or 32.5.1.5, the system is vulnerable.Check Version:
show version | include VersionVerify Fix Applied:
After patching, verify firmware version shows 31.7.2 or 32.5.1.5 using 'show version' command and test CSRF protections on the /jsonrpc endpoint.📡 Detection & Monitoring
Log Indicators:
- Unusual JSON-RPC API calls from unexpected sources
- Configuration changes without corresponding user authentication logs
- Multiple failed authentication attempts followed by successful API calls
Network Indicators:
- HTTP POST requests to /jsonrpc endpoint from external IPs
- Unusual traffic patterns to switch management interfaces
SIEM Query:
source="switch_logs" AND (uri_path="/jsonrpc" OR message="CSRF") AND NOT user="authorized_admin"