CVE-2018-9195

Name of the Vulnerable Software and Affected Versions FortiClient for Windows versions 6.0.6 and below FortiOS versions 6.0.7 and below FortiClient for Mac OS versions 6.2.1 and below

Description The issue is related to the use of a hardcoded cryptographic key in the FortiGuard services communication protocol. This may allow a Man in the middle with knowledge of the key to eavesdrop on and modify information sent and received from Fortiguard servers by decrypting these messages. The affected services include URL/SPAM services in FortiOS 5.6, and URL/SPAM/AV services in FortiOS 6.0, as well as URL rating in FortiClient.

Recommendations For FortiClient for Windows versions 6.0.6 and below, consider disabling the FortiGuard services until a patch is available. For FortiOS versions 6.0.7 and below, restrict access to the URL/SPAM/AV services to minimize the risk of exploitation. For FortiClient for Mac OS versions 6.2.1 and below, avoid using the URL rating service in FortiClient until the issue is resolved. As a temporary workaround, consider disabling the FortiGuard communication protocol until a patch is available.