3rd party component upgrade required for security reasons: FortiGuard XOR Encryption Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-18-100 Final 1 1 2019-12-05T00:00:00 Current version 2019-12-05T00:00:00 2019-12-05T00:00:00 Use of a hardcoded cryptographic key in the FortiGuard services communication protocol may allow a Man in the middle with knowledge of the key to eavesdrop on and modify information (URL/SPAM services in FortiOS 5.6, and URL/SPAM/AV services in FortiOS 6.0.; URL rating in FortiClient) sent and received from Fortiguard servers by decrypting these messages. Information disclosure All versions below FortiOS 6.0.8All versions below FortiOS 5.6.12All versions below FortiClientWindows 6.2.0All versions below FortiClientMac 6.2.2 Upgrade to FortiOS 6.0.8 and upper version or 5.6.12 then manually change the configuration to use TLS as communication protocol with FortiGuard servers after upgrade (see https://docs.fortinet.com/document/fortigate/6.0.8/fortios-release-notes/901852/fortiguard-protocol-and-port-number) or do a fresh install to get the new default which is the TLS based system.For AV communication exposure on FortiOS 6.0 and above; the only impact is if outbreak protection is enabled in the antivirus profile settings. This is the only part of AV which makes a real-time FortiGuard request.Upgrade to FortiClientWindows 6.2.0 or FortiClientMac 6.2.2 then change EMS configuration in the Endpoint Profile to use "FortiGuard Anycast". The new option is provided for Web Filter tab, as well as System Settings tab. Fortinet is pleased to thank Stefan Viehböck - SEC Consult Vulnerability Lab for reporting this under responsible disclosure. CVE-2018-9195 6.2 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-18-100 3rd party component upgrade required for security reasons: FortiGuard XOR Encryption Reference>