CVE-2023-47536: Firewall deny policy bypass
First published: Tue Dec 12 2023(Updated: )
An improper access control vulnerability [CWE-284] in FortiOS and FortiProxy may allow a remote unauthenticated attacker to bypass the firewall deny geolocalisation policy via timing the bypass with a GeoIP database update.
Credit: psirt@fortinet.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fortinet FortiOS IPS Engine | =. | |
| Fortinet FortiOS IPS Engine | >=7.0 | |
| Fortinet FortiOS IPS Engine | >=6.4 | |
| Fortinet FortiProxy | >=7.2.0<=7.2.3 | |
| Fortinet FortiProxy | >=7.0.0<=7.0.9 | |
| Fortinet FortiProxy | >=2.0.0<=2.0.12 | |
| Fortinet FortiProxy | >=2.0.0<=2.0.12 | |
| Fortinet FortiProxy | >=7.0.0<=7.0.9 | |
| Fortinet FortiProxy | >=7.2.0<=7.2.3 | |
| Fortinet FortiOS IPS Engine | >=6.4.0<=6.4.14 | |
| Fortinet FortiOS IPS Engine | >=7.0.0<=7.0.13 | |
| Fortinet FortiOS IPS Engine | =7.2.0 |
Remedy
Please upgrade to FortiOS version 7.4.0 or above Please upgrade to FortiOS version 7.2.1 or above Please upgrade to FortiProxy version 7.4.0 or above Please upgrade to FortiProxy version 7.2.4 or above Please upgrade to FortiProxy version 7.0.10 or above Please upgrade to FortiProxy version 2.0.13 or above
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2023-47536?
CVE-2023-47536 is classified as a high severity vulnerability due to its potential for unauthorized access.
How do I fix CVE-2023-47536?
To mitigate CVE-2023-47536, upgrade FortiOS to version 7.2.1 or higher, or FortiProxy to version 7.2.4 or higher.
Which Fortinet products are affected by CVE-2023-47536?
CVE-2023-47536 affects FortiOS versions 6.4.0 through 6.4.14, 7.0.0 through 7.0.13, and 7.2.0 through 7.2.3, as well as FortiProxy versions 2.0.0 through 2.0.12, 7.0.0 through 7.0.9, and 7.2.0 through 7.2.3.
Can CVE-2023-47536 be exploited remotely?
Yes, CVE-2023-47536 can be exploited by a remote unauthenticated attacker.
What kind of attack does CVE-2023-47536 facilitate?
CVE-2023-47536 allows attackers to bypass the firewall deny geolocation policy.
- agent/type
- agent/remedy
- agent/weakness
- agent/author
- agent/first-publish-date
- agent/references
- agent/severity
- agent/description
- agent/softwarecombine
- agent/title
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/fortiguard-psirt-latest
- source/FortiGuard
- alias/CVE-2023-47536
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/fortiguard-psirt
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-api
- vendor/fortinet
- canonical/fortinet fortios ips engine
- version/fortinet fortios ips engine/.
- version/fortinet fortios ips engine/7.0
- version/fortinet fortios ips engine/6.4
- canonical/fortinet fortiproxy
- version/fortinet fortiproxy/7.2.0
- version/fortinet fortiproxy/7.2.3
- version/fortinet fortiproxy/7.0.0
- version/fortinet fortiproxy/7.0.9
- version/fortinet fortiproxy/2.0.0
- version/fortinet fortiproxy/2.0.12
- version/fortinet fortios ips engine/6.4.0
- version/fortinet fortios ips engine/6.4.14
- version/fortinet fortios ips engine/7.0.0
- version/fortinet fortios ips engine/7.0.13
- version/fortinet fortios ips engine/7.2.0