Headline
CVE-2023-47536: Fortiguard
An improper access control vulnerability [CWE-284] in FortiOS version 7.2.0, version 7.0.13 and below, version 6.4.14 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below may allow a remote unauthenticated attacker to bypass the firewall deny geolocalisation policy via timing the bypass with a GeoIP database update.
FortiOS & FortiProxy - Firewall deny policy bypass
Summary
An improper access control vulnerability [CWE-284] in FortiOS and FortiProxy may allow a remote unauthenticated attacker to bypass the firewall deny geolocalisation policy via timing the bypass with a GeoIP database update.
Version
Affected
Solution
FortiOS 7.4
Not Affected
Not Applicable
FortiOS 7.2
7.2.0
Upgrade to 7.2.1 or above
FortiOS 7.0
7.0 all versions
Migrate to a fixed release
FortiOS 6.4
6.4 all versions
Migrate to a fixed release
FortiProxy 7.4
Not Affected
Not Applicable
FortiProxy 7.2
7.2.0 through 7.2.3
Upgrade to 7.2.4 or above
FortiProxy 7.0
7.0.0 through 7.0.9
Upgrade to 7.0.10 or above
FortiProxy 2.0
2.0.0 through 2.0.12
Upgrade to 2.0.13 or above
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool
Timeline
2023-12-11: Initial publication