CVE-2018-9192
First published: Wed Sep 05 2018(Updated: )
A plaintext recovery of encrypted messages or a Man-in-the-middle (MiTM) attack on RSA PKCS #1 v1.5 encryption may be possible without knowledge of the server's private key. Fortinet FortiOS 5.4.6 to 5.4.9, 6.0.0 and 6.0.1 are vulnerable by such attack under SSL Deep Inspection feature when CPx being used.
Credit: psirt@fortinet.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| FortiOS | >=5.4.6<=5.4.9 | |
| FortiOS | =6.0.0 | |
| FortiOS | =6.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2018-9192?
CVE-2018-9192 has a high severity rating due to the potential for plaintext recovery of encrypted messages.
How do I fix CVE-2018-9192?
To fix CVE-2018-9192, upgrade Fortinet FortiOS to a version beyond 6.0.1 or 5.4.9.
Which versions of Fortinet FortiOS are affected by CVE-2018-9192?
CVE-2018-9192 affects Fortinet FortiOS versions 5.4.6 to 5.4.9, as well as versions 6.0.0 and 6.0.1.
What type of attack does CVE-2018-9192 enable?
CVE-2018-9192 enables plaintext recovery of encrypted messages and allows for Man-in-the-middle (MiTM) attacks.
Is FortiOS SSL Deep Inspection feature related to CVE-2018-9192?
Yes, the vulnerability in CVE-2018-9192 is specifically associated with the SSL Deep Inspection feature of FortiOS.
- agent/type
- agent/references
- agent/author
- agent/severity
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/fortinet
- canonical/fortios
- version/fortios/5.4.6
- version/fortios/5.4.9
- version/fortios/6.0.0
- version/fortios/6.0.1