Palo Alto GlobalProtect App Windows 6.x < 6.2.8-h2 / 6.3.x < 6.3.3-650-650 Improper Access Control (CVE-2025-4227)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(240280);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/21");

  script_cve_id("CVE-2025-4227");
  script_xref(name:"IAVA", value:"2025-A-0430-S");

  script_name(english:"Palo Alto GlobalProtect App Windows 6.x < 6.2.8-h2 / 6.3.x < 6.3.3-650-650 Improper Access Control (CVE-2025-4227)");

  script_set_attribute(attribute:"synopsis", value:
"A VPN client installed on remote host is affected by a improper access control vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Palo Alto GlobalProtect App installed on the remote Windows host is 6.x prior to 6.2.8-h2 or 6.3.x prior to 
6.3.3-650. It is, therefore, affected by a improper access control vulnerability:

  - An improper access control vulnerability in the Endpoint Traffic Policy Enforcement feature of the Palo 
    Alto Networks GlobalProtect app allows certain packets to remain unencrypted instead of being properly 
    secured within the tunnel. An attacker with physical access to the network can inject rogue devices to 
    intercept these packets. Under normal operating conditions, the GlobalProtect app automatically recovers 
    from this interception within one minute. (CVE-2025-4227)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://security.paloaltonetworks.com/CVE-2025-4227");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Palo Alto GlobalProtect App version 6.2.8-h2, 6.3.3-650 or later");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-4227");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/06/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/06/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/06/23");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:paloaltonetworks:globalprotect");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("palo_alto_globalprotect_agent_win_installed.nbin");
  script_require_keys("installed_sw/Palo Alto GlobalProtect Agent", "SMB/Registry/Enumerated");

  exit(0);
}

include('vcf.inc');
include('vcf_extras.inc');

get_kb_item_or_exit('SMB/Registry/Enumerated');

// Adds support for -h parsing in version strings.
vcf::palo_alto::initialize();

var app_info = vcf::get_app_info(app:'Palo Alto GlobalProtect Agent', win_local:TRUE);

vcf::check_granularity(app_info:app_info, sig_segments:3);

var constraints = [
  {'min_version' : '6.0', 'fixed_version' : '6.2.8-h2'},
  {'min_version' : '6.3', 'fixed_version' : '6.3.3-650'}
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_NOTE);