Serious privilege escalation vulnerability in Parallels Desktop 16 and lower versions has been fixed

Parallels Desktop developers announced the release of an alternative solution to mitigate the exploitation of a privilege escalation flaw in Parellels Desktop v16 and earlier software. The problem is that this mitigation comes almost half a year after the identification of this vulnerability.

As some users may know, Parallels Desktop is software used by millions of users for virtualizing Windows and Linux operating systems on macOS devices.

The flaw reportedly allows threat actors to run malware on a Parallels virtual machine and access shared macOS files in a default software configuration. The developers mentioned that temporary fixes must be implemented manually, a process that could lead to some flaws in the operation of the software.

Tracked as CVE-2021-34864, the vulnerability exists due to erroneous access control in the WinAppHelper component of the affected software. According to the report, the flaw is directly related to Parallels Tools, a proxy for communications between the macOS host and the virtual machine’s operating system.

This flaw received a score of 8.8/10 according to the Common Vulnerability Scoring System (CVSS) and its successful exploitation is relatively trivial, notes the developers’ report: “This software shares files and folders between Mac devices and virtual machines by default, so any user can open and run macOS files from applications running in a virtual environment, including malicious code,” the report states.

For security, Parallels recommends users reconfigure their software deployments or upgrade to the latest version available, released August 10: “Parallels v17 and newer versions are not affected. The entire startup folder is no longer shared with a virtual machine by default, so now this applies only to folders selected by the administrator,” mention those in charge of this tool.

The report concludes by mentioning that, in order to exploit the flaw, threat actors must first gain the ability to execute malicious code with least privileges on the target system, so exposed system administrators must take into account each potential attack vector.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.