Published: 21/11/2019 Updated: 04/05/2020

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Use of a hardcoded cryptographic key in the FortiGuard services communication protocol may allow a Man in the middle with knowledge of the key to eavesdrop on and modify information (URL/SPAM services in FortiOS 5.6, and URL/SPAM/AV services in FortiOS 6.0.; URL rating in FortiClient) sent and received from Fortiguard severs by decrypting these messages. Affected products include FortiClient for Windows 6.0.6 and below, FortiOS 6.0.7 and below, FortiClient for Mac OS 6.2.1 and below.

Vulnerable Product	Search on Vulmon	Subscribe to Product
fortinet forticlient
fortinet fortios

Fortinet products, including FortiGate and Forticlient, regularly send information to Fortinet servers using XOR "encryption" with a static key Versions affected include FortiOS versions 606 and below, FortiClientWindows versions 606 and below, and FortiClientMac versions 621 and below ...

Full Disclosure mailing list archives   By Date By Thread </form>    Re: SEC Consult SA-20191125-0 :: FortiGuard XOR Encryption in Multiple Fortinet Products  < ...

CWE-798 https://fortiguard.com/advisory/FG-IR-18-100 https://nvd.nist.gov https://packetstormsecurity.com/files/155463/FortiOS-6.0.6-FortiClientWindows-6.0.6-FortiClientMac-6.2.1-XOR-Encryption.html

CVE-2018-9195

Vulnerability Summary

Vulnerability Trend

Exploits

Mailing Lists

References

Vulmon Search

About

Products

Connect