Black Hat USA 2025 | Use and Abuse of Palo Alto's Remote Access Solution

Palo Alto Networks' GlobalProtect is a widely adopted remote access solution used by major organisations worldwide — but how robust is it? Is it designed following secure development principles? Is it possible that this highly-privileged agent, typically installed on all user endpoints, could actually be a source of vulnerability? In this talk, I will introduce and discuss the research that led to the discovery of several security vulnerabilities that could be used to bypass the VPN or escalate privileges on MacOS and Linux endpoints with GlobalProtect installed. As well as providing technical details and practical demonstration of the vulnerabilities, I'll provide an overview of how the GlobalProtect client works and consider its design from the security engineer's perspective. I'll explore fundamental design decisions whose overlooked risks directly contributed to the discovered vulnerabilities. By: Alex Bourla | Security Engineer and Researcher, Graham Brereton | Senior Software Engineer, Form3 Presentation Materials Available at: https://ift.tt/w0StFJf

source https://www.youtube.com/watch?v=6IGmNLs4tk8