An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability.” Disclosure Timeline The company added, “This vulnerability allows local malicious users to escalate privileges on affected installations of Parallels Desktop. The entire home folder is no longer shared with a VM by default, only selected folders, like Desktop, Documents, Downloads, etc.,” according to the vulnerability’s summary description. “Parallels Desktop 17 for Mac and newer versions are not affected. Parallels is advising users to mitigate the vulnerability via reconfiguring their software or upgrading to the latest version, which is Parallels Desktop 17 for Mac, released on August 10. This folder may contain configuration files, cache from different applications, etc., that malicious software can access.” “This functionality exposes the user home folder to the VM. “By default, Parallels Desktop shares files and folders between the Mac and a VM, so users can easily open macOS files from applications running in a virtual machine and save documents to Mac,” Parallels explained. The bulletin also warns that the level of complexity needed to exploit the vulnerability is “low.” The severity of the vulnerability is rated as high (8.8) using the Common Vulnerability Scoring System, version 3.0. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor,” according to a separate security advisory, also posted Wednesday. “The issue results from the lack of proper access control. In a Wednesday security bulletin, first to widely disclose details of the bug, it was revealed that the vulnerability (CVE-2021-34864) is caused by improper access control in the Parallels’ WinAppHelper component. The flaw, according to Parallels, is specifically tied to the software’s Parallels Tools, a proxy for communications between the host macOS and the virtual machine’s operating system. The software maker stated that the recommended fixes need to be manually performed by end users and will likely “inconvenience” some while also reducing product functionality. The vulnerability allows malicious software running in a Parallels virtual machine (VM) to access macOS files shared in a default configuration of the software. Parallels Desktop, now owned by private equity giant KKR, is used by seven million users, according to the company, and allows Mac users to run Windows, Linux and other operating systems on their macOS. Mitigation advice comes five months after researchers first identified the bug in April. The makers of Parallels Desktop has released a workaround fix for a high-severity privilege escalation bug that impacts its Parallels Desktop 16 for Mac software and all older versions.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |