Vulnerability Details : CVE-2018-9192
A plaintext recovery of encrypted messages or a Man-in-the-middle (MiTM) attack on RSA PKCS #1 v1.5 encryption may be possible without knowledge of the server's private key. Fortinet FortiOS 5.4.6 to 5.4.9, 6.0.0 and 6.0.1 are vulnerable by such attack under SSL Deep Inspection feature when CPx being used.
Products affected by CVE-2018-9192
- cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
- cpe:2.3:o:fortinet:fortios:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:o:fortinet:fortios:6.0.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-9192
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 30 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-9192
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
5.9
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
2.2
|
3.6
|
NIST |
CWE ids for CVE-2018-9192
-
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-9192
-
https://www.kb.cert.org/vuls/id/144389
VU#144389 - TLS implementations may disclose side channel information via discrepancies between valid and invalid PKCS#1 paddingThird Party Advisory;US Government Resource
-
https://robotattack.org/
The ROBOT Attack - Return of Bleichenbacher's Oracle ThreatThird Party Advisory
-
https://fortiguard.com/advisory/FG-IR-17-302
The ROBOT Attack - Return of Bleichenbacher's Oracle Threat | FortiGuardVendor Advisory
Jump to