CVE-2018-9195

CWE-798 — Hard-coded Credentials4 documents4 sources

Severity

5.9MEDIUM

EPSS

0.3%

top 46.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Forticlient Fortinet Fortios Fortinet Forticlient FOR MAC OS +1 more

Timeline

PublishedNov 21

Latest updateMay 24

Description

Use of a hardcoded cryptographic key in the FortiGuard services communication protocol may allow a Man in the middle with knowledge of the key to eavesdrop on and modify information (URL/SPAM services in FortiOS 5.6, and URL/SPAM/AV services in FortiOS 6.0.; URL rating in FortiClient) sent and received from Fortiguard severs by decrypting these messages. Affected products include FortiClient for Windows 6.0.6 and below, FortiOS 6.0.7 and below, FortiClient for Mac OS 6.2.1 and below.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages5 packages

▶CVEListV5fortinet/forticlient_for_windowsFortiClient for Windows 6.0.6 and below

▶NVDfortinet/fortios6.0.6

▶NVDfortinet/forticlient6.0.6+1

▶CVEListV5fortinet/fortiosFortiOS 6.0.7 and below

▶CVEListV5fortinet/forticlient_for_mac_osFortiClient for Mac OS 6.2.1 and below

🔴Vulnerability Details

GHSA

GHSA-grw5-hmpf-442m: Use of a hardcoded cryptographic key in the FortiGuard services communication protocol may allow a Man in the middle with knowledge of the key to eave↗2022-05-24

▶

CVEList

CVE-2018-9195: Use of a hardcoded cryptographic key in the FortiGuard services communication protocol may allow a Man in the middle with knowledge of the key to eave↗2019-11-21

▶

📋Vendor Advisories

Fortinet

Use of a hardcoded cryptographic key in the FortiGuard services communication protocol may allow a Man in the middle wit...↗2019-11-21

▶