CVE-2023-47536: 
FortiOS vulnerability analysis and mitigation

An improper access control vulnerability (CVE-2023-47536) was identified in FortiOS and FortiProxy systems. The vulnerability was discovered and initially published on December 11, 2023. It affects multiple versions of FortiOS (7.2.0, 7.0.x, and 6.4.x) and FortiProxy (versions 7.2.0-7.2.3, 7.0.0-7.0.9, and 2.0.0-2.0.12) (Fortiguard Advisory).

The vulnerability is classified as CWE-284 (Improper Access Control) and received a CVSS v3.1 base score of 5.3 (MEDIUM) from NIST NVD, while Fortinet assigned it a lower score of 3.1 (LOW). The vulnerability specifically involves the firewall deny geolocalisation policy mechanism, where the security control can be bypassed by timing the attempt with a GeoIP database update (NVD, Fortiguard Advisory).

If exploited, this vulnerability allows a remote unauthenticated attacker to bypass the firewall deny geolocalisation policy. This could potentially enable access to resources that should be restricted based on geographic location (Fortiguard Advisory).

Fortinet has released fixes for affected versions. FortiOS users should upgrade to version 7.2.1 or above if running 7.2.0, while those running 7.0.x or 6.4.x should migrate to a fixed release. FortiProxy users should upgrade to version 7.2.4 or above (for 7.2.x), 7.0.10 or above (for 7.0.x), or 2.0.13 or above (for 2.0.x) (Fortiguard Advisory).