Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-9195

Use of a hardcoded cryptographic key in the FortiGuard services communication protocol may allow a Man in the middle with knowledge of the key to eavesdrop on and modify information (URL/SPAM services in FortiOS 5.6, and URL/SPAM/AV services in FortiOS 6.0.; URL rating in FortiClient) sent and received from Fortiguard severs by decrypting these messages. Affected products include FortiClient for Windows 6.0.6 and below, FortiOS 6.0.7 and below, FortiClient for Mac OS 6.2.1 and below.

Published

2019-11-21T15:15:12.477

Last Modified

2024-11-21T04:15:09.337

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.9 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Primary
CWE-798

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	fortinet	forticlient	≤ 6.0.6	Yes
Application	fortinet	forticlient	≤ 6.2.1	Yes
Operating System	fortinet	fortios	≤ 6.0.6	Yes

References

https://fortiguard.com/advisory/FG-IR-18-100 Third Party Advisory ([email protected])
https://fortiguard.com/advisory/FG-IR-18-100 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)