Palo Alto Networks发布安全公告，指出GlobalProtect Clientless VPN存在潜在的安全风险。当Clientless VPN配置不当，允许访问互联网或内部网站时，可能导致恶意脚本获取敏感信息或修改VPN可访问的任何应用内容，包括Clientless VPN本身。该漏洞源于Clientless VPN未强制执行同源策略。为了缓解风险，建议限制Clientless VPN通过安全策略仅访问单个可信站点，并避免将其用于访问互联网或内网。对于需要访问多个应用的情况，强烈建议仅配置对可信页面的访问。

⚠️GlobalProtect Clientless VPN旨在提供对受信任内部应用程序的安全远程访问，但如果配置不当允许访问互联网或任何内部网站，则可能存在风险。

🛡️该漏洞存在的前提是：拥有有效的GlobalProtect订阅许可；GlobalProtect Portal配置中启用了Clientless VPN；安全策略允许Clientless VPN访问多个内部或外部应用程序。

🔒缓解措施是：确保Clientless VPN访问受到安全策略的限制，仅允许访问单个可信站点。强烈建议不要使用Clientless VPN来允许访问互联网或内网。

Palo Alto Networks Security Advisories /PAN-SA-2025-0005PAN-SA-2025-0005 GlobalProtect Clientless VPN: Same-Origin Policy Does Not Apply When Using Clientless VPNInformationalJSONCSAF Published2025-02-12 Updated2025-02-12DiscoveredexternallyDescriptionPalo Alto Networks GlobalProtect Clientless VPN is intended to provide secure remote access to trusted internal applications. It is not meant to provide access to the Internet, intranet or multiple websites.When the Clientless VPN is misconfigured to allow access to the Internet or any internal website, it allows malicious scripts on one site to obtain sensitive information or modify content of any application accessible through the VPN including Clientless VPN itself.For further details about the risks of Clientless VPNs please refer to https://www.kb.cert.org/vuls/id/261869Product StatusRequired Configuration for ExposureAll of the following must be true to be impacted by this:You have a valid GlobalProtect Subscription license.Clientless VPN is enabled in the GlobalProtect Portal configuration.Browse to [ Network > GlobalProtect > Portals > Click on Portal config to openSelect [ Clientless VPN tab > General ] If the Clientless VPN checkbox is checked, then the feature is enabled. Take note of the “Security Zones” configured for the next step.Security Policies allow Clientless VPN access to more than one internal or external Application.From the previous step, use the “Security Zones” configured to verify existing Security Policies for Clientless VPN. In our example, it is named “Clientless-VPN”.Go to [Policies > Security ]. In the search bar, type the found “Security Zones” name (Clientless-VPN in our example), to verify existing Security Policies for Clientless VPN that allow access to more than one trusted site.Exploitation StatusPalo Alto Networks is not aware of any malicious exploitation of this issue.Workarounds and MitigationsThe Clientless VPN feature only ensures secure remote access to a single trusted application. Ensure that the Clientless VPN access is limited by Security Policies to a single trusted site. Refer to the Configure Clientless VPN page for additional details.For accessing multiple applications, since the Same-Origin Policy is not enforced, we strongly recommend configuring access to only trusted pages through Clientless VPN. Clientless VPN should never be used to allow access to the internet or intranet. If you need to secure access to untrusted websites, please consider the following alternatives:Timeline2025-02-12Initial Publication