CVE-2018-9194

Published: Sep 5, 2018Modified: Nov 21, 2024

5.9

Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.2 / Impact: 3.6

Source: NVD

Description

A plaintext recovery of encrypted messages or a Man-in-the-middle (MiTM) attack on RSA PKCS #1 v1.5 encryption may be possible without knowledge of the server's private key. Fortinet FortiOS 5.4.6 to 5.4.9, 6.0.0 and 6.0.1 are vulnerable by such attack under VIP SSL feature when CPx being used.

Affected (3)

Products: Fortinet: Fortios

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Fortinet Fortios	From 5.4.6 to 5.4.9
Fortinet Fortios	Version 6.0.0
Fortinet Fortios	Version 6.0.1

Related CWEs

Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References (6)

https://fortiguard.com/advisory/FG-IR-17-302

Source: psirt@fortinet.com

Vendor Advisory

https://robotattack.org/

Source: psirt@fortinet.com

Third Party Advisory

https://www.kb.cert.org/vuls/id/144389

Source: psirt@fortinet.com

Third Party AdvisoryUS Government Resource

https://fortiguard.com/advisory/FG-IR-17-302

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://robotattack.org/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.kb.cert.org/vuls/id/144389

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

Timeline

No history available yet.