CVE-2018-9192

Name of the Vulnerable Software and Affected Versions: FortiOS versions 5.4.6 through 5.4.9 FortiOS versions 6.0.0 through 6.0.1

Description: A potential issue exists where an attacker could recover plaintext from encrypted messages or perform a Man-in-the-middle (MiTM) attack on RSA PKCS #1 v1.5 encryption without needing the server's private key. This issue arises under the SSL Deep Inspection feature when CPx is being used, potentially allowing a remote attacker to decrypt messages without knowledge of the secret key and perform a MiTM attack.

Recommendations: For FortiOS versions 5.4.6 through 5.4.9, consider disabling the SSL Deep Inspection feature until a patch is available. For FortiOS versions 6.0.0 through 6.0.1, consider disabling the SSL Deep Inspection feature until a patch is available. As a temporary workaround, restrict the use of the CPx feature to minimize the risk of exploitation.