Palo Alto Networks GlobalProtect App Improper Access Control Vulnerability Allowing Packet Interception

A vulnerability has been identified in the Palo Alto Networks GlobalProtect app, specifically within the Endpoint Traffic Policy Enforcement feature. This vulnerability allows certain packets to remain unencrypted, instead of being properly secured within the tunnel. An attacker with physical access to the network can inject rogue devices to intercept these packets. Under normal conditions, the GlobalProtect app automatically recovers from this interception within one minute.

Impact

Exploitation of this vulnerability allows for interception of unencrypted packets, which can be captured and potentially misused by an attacker.

Remediation

Users can upgrade the GlobalProtect app to version 6.3.2-566 or later on Windows and macOS. For version 6.2, users should upgrade to 6.3.2-566 or later, with a new hotfix for 6.2.8 planned for June 2025. After upgrading, ensure that 'Endpoint Traffic Policy Enforcement' is set to 'All Traffic' under the GlobalProtect App Configurations. If using the GlobalProtect Portal, enable 'Allow Gateway Access from GlobalProtect Only'.