Palo Alto 安全中心 前天 00:13
CVE-2025-4227 GlobalProtect App: Interception in Endpoint Traffic Policy Enforcement (Severity: LOW)
index_new5.html
../../../zaker_core/zaker_tpl_static/wap/tpl_guoji1.html

 

Palo Alto Networks GlobalProtect App存在访问控制漏洞,可能导致数据包未加密。攻击者可在物理访问网络后,注入恶意设备拦截数据包。受影响的包括Windows和macOS端点,且“Endpoint Traffic Policy Enforcement”功能已启用。虽然GlobalProtect App可在1分钟内自动恢复,但仍需采取措施修复。本文提供了详细的修复建议,包括升级GlobalProtect App版本、配置设置等。

🛡️ 漏洞成因:GlobalProtect App的Endpoint Traffic Policy Enforcement功能存在访问控制问题,导致特定数据包在隧道内未能正确加密。

⚠️ 攻击方式:拥有物理访问权限的攻击者可以注入恶意设备,拦截未加密的数据包,从而窃取敏感信息。

✅ 影响范围:该漏洞影响启用了“Endpoint Traffic Policy Enforcement”的Windows和macOS端点。请检查您的GlobalProtect App配置以确认是否受到影响。

💡 缓解措施:Palo Alto Networks建议用户升级到不受影响的GlobalProtect App版本,并确保在GlobalProtect App配置中将“Endpoint Traffic Policy Enforcement”设置为“All Traffic”。

🔑 增强安全:在GlobalProtect门户中启用“Allow Gateway Access from GlobalProtect Only”选项,并确保Content版本为8977或更高版本。此设置必须与GlobalProtect App配置中的“Endpoint Traffic Policy Enforcement”功能结合使用。

An improper access control vulnerability in the Endpoint Traffic Policy Enforcement feature of the Palo Alto Networks GlobalProtect™ app allows certain packets to remain unencrypted instead of being properly secured within the tunnel.

An attacker with physical access to the network can inject rogue devices to intercept these packets. Under normal operating conditions, the GlobalProtect app automatically recovers from this interception within one minute.

This issue affects Windows and macOS endpoints with "Endpoint Traffic Policy Enforcement" enabled. To verify if you have Endpoint Traffic Policy Enforcement enabled:

Palo Alto Networks is not aware of any malicious exploitation of this issue.

1. Upgrade the GlobalProtect App to one of the unaffected versions:

2. Ensure that "Endpoint Traffic Policy Enforcement" is set to “All Traffic” under the GlobalProtect App Configurations.

3. GlobalProtect Portal: Enable "Allow Gateway Access from GlobalProtect Only" (Requires Content version 8977 or newer). This must be enabled in conjunction with "Endpoint Traffic Policy Enforcement" under the GlobalProtect App Configurations.

4. Commit your configuration.

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:Android:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:iOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:Chrome OS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:UWP:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:Android:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:iOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:Chrome OS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:UWP:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:Android:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:iOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:Chrome OS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:UWP:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:Android:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:iOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:Chrome OS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:UWP:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:Android:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:iOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:Chrome OS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:UWP:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:Android:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:iOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:Chrome OS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:UWP:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:Android:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:iOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:Chrome OS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:UWP:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:Android:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:iOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:Chrome OS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:UWP:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:Android:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:iOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:Chrome OS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:UWP:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:Android:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:iOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:Chrome OS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:UWP:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:Android:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:iOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:Chrome OS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:UWP:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:Android:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:iOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:Chrome OS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:UWP:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:Android:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:iOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:Chrome OS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:UWP:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:Android:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:iOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:Chrome OS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:UWP:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:Android:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:iOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:Chrome OS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:UWP:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:Android:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:iOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:Chrome OS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:UWP:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:Android:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:iOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:Chrome OS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:UWP:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:Android:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:iOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:Chrome OS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:UWP:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:Android:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:iOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:Chrome OS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:UWP:*:*

Fish AI Reader

Fish AI Reader

AI辅助创作,多种专业模板,深度分析,高质量内容生成。从观点提取到深度思考,FishAI为您提供全方位的创作支持。新版本引入自定义参数,让您的创作更加个性化和精准。

FishAI

FishAI

鱼阅,AI 时代的下一个智能信息助手,助你摆脱信息焦虑

联系邮箱 441953276@qq.com

相关标签

Palo Alto Networks GlobalProtect 漏洞 安全
相关文章
如何挑选短债基金?盘点一批不错的短债基金
How AI is making online casinos safer than ever before
AI News Weekly - Issue #376: Unlock AI: Top Tips for Election Officials - Mar 14th 2024
Tesla Announces Reduction in Subscription Fee of its FSD Driver-Assist Software
Machine Learning for Security and Security for Machine Learning with Nicole Nichols - TWiML Talk #252
Towards Artificial General Intelligence with Greg Brockman - TWiML Talk #74
英國釋出AI模型安全評估平臺Inspect
This tiny chip can safeguard user data while enabling efficient computing on a smartphone