CVE-2021-45810

Name of the Vulnerable Software and Affected Versions GlobalProtect-openconnect versions prior to 2.0.0

Description The issue is related to incorrect access control in GPService through DBUS and GUI. This allows arbitrary users to start a VPN connection to arbitrary servers. An attacker can host an openconnect compatible server and redirect the entire host's traffic via their own server.

Recommendations For versions prior to 2.0.0, update to version 2.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the GPService to minimize the risk of exploitation. Avoid using the GUI to start VPN connections until the issue is resolved.