Black Hat USA 2025 | Use and Abuse of Palo Alto's Remote Access Solution

The presentation examined Palo Alto’s GlobalProtect remote‑access solution, focusing on its split‑tunnel feature that lets administrators whitelist domains such as *.zoom.us to bypass the VPN. The speaker, a security engineer with pentesting background, demonstrated how the feature intertwines DNS resolution with IP‑level routing, creating a surface for abuse.

By directing a compromised DNS server to return a malicious IP for a whitelisted domain, an attacker can force traffic to exit the corporate tunnel unnoticed. The demo showed a low‑privilege shell issuing DNS queries for a fake sub‑domain, receiving the attacker‑controlled address, and then reaching Dropbox for data exfiltration. The route persisted in cache for about a minute, illustrating a practical bypass.

Further analysis revealed that GlobalProtect’s inter‑process communication encrypts messages with a static IV and a key derived from a login‑keychain entry on macOS—or hard‑coded on Linux—offering little protection against a privileged user. By manipulating the process‑path check (using LSOF redirection or a short binary name), the researchers could replay a disconnect command and force the VPN to drop, allowing unrestricted internet access. Linux’s implementation resisted these tricks, highlighting platform‑specific disparities.

The findings underscore a design flaw: reliance on unauthenticated DNS and fragile validation logic that fails open. Enterprises using GlobalProtect should consider DNSSEC, stricter split‑tunnel policies, and deeper monitoring of outbound traffic, while Palo Alto must redesign the feature to enforce secure defaults and robust IPC authentication.