Security Engineer Details Vulnerabilities in Palo Alto’s GlobalProtect VPN

The video presents a Black Hat talk by security engineer Alex, who details multiple vulnerabilities in Palo Alto’s GlobalProtect VPN, a remote access solution used by enterprises. The research uncovered flaws including DNS spoofing to bypass split-tunnel configurations, IPC (inter-process communication) manipulation to force VPN disconnections, and privilege escalation via environment variable exploitation on macOS and Linux. The DNS spoofing attack, demonstrated in April 2023, remains unpatched, as Palo Alto does not consider it a vulnerability in the macOS client. Other issues, such as forged IPC messages and a SUID bit misconfiguration leading to root access, were reported and initially patched ineffectively, though later fixes were deployed. The talk highlights design flaws like misplaced trust in user-space processes and insecure IPC encryption, emphasizing that security tools themselves can expand attack surfaces. Palo Alto’s advisories later confirmed some vulnerabilities affected Windows and Linux, despite initial macOS-focused testing. Key takeaways stress that security software must avoid overprivileged execution and that architectural fixes—not just patches—are needed for fundamental flaws.