Use and Abuse of Palo Alto's Remote Access Solution
Black Hat USA 2025 · Day 1 · Briefings
Security researcher Alex uncovered multiple vulnerabilities in Palo Alto's GlobalProtect VPN client on macOS and Linux — including DNS-spoofing-based tunnel bypasses, forged IPC message attacks, and a local privilege escalation chain — revealing that the product's architecture places critical security decisions in an unprivileged process where attackers already operate. Most vulnerabilities have since been patched, but the underlying design flaws persist, and one DNS spoofing bypass remains unpatched by vendor choice. ---
AI review
A meticulous dissection of a widely deployed security product from someone who clearly reverse-engineered every layer before opening their mouth. The DNS spoofing bypass that Palo Alto refuses to fix is the most damning finding, but the fail-open IPC logic and OPENSSL_CONF root escalation chain are what elevates this from bug report to design critique.