The most recent model of Parallels Desktop virtualization software program for macOS comprises an unpatched zero-day vulnerability permitting root entry, and a proof-of-concept exploit is obtainable.
The bug, which does not have a CVE or CVSS rating but, is definitely a patch bypass, and finally offers cyberattackers a option to acquire unauthorized administrator-level — or root — entry on affected programs. It impacts a script that Parallels Desktop makes use of to repack macOS installer functions to make them suitable with Parallels virtualization.
Many organizations all over the world use Parallels Desktop to run Home windows, Linux, and different working programs on their Macs. The corporate says some 7 million customers worldwide at present use Parallels Desktop for Mac.
Crucial Patch Bypass Vulnerability
As talked about, the bug is definitely a bypass for a patch that the corporate issued final Might for one more bug within the Parallels Desktop repack characteristic. That bug, tracked as CVE-2024-34331 with a vital CVSS 9.8 out of 10, allows native privilege escalation and impacts variations of Parallels Desktop working on Intel-based Macs.
Ukrainian researcher Mykola Grymalyuk, discovered that flaw in model 19.2.1 of the software program and reported it to Parallels final February. In response, Parallels in early March launched Parallels Desktop model 19.3.0 ostensibly as a repair for the difficulty. Nevertheless, that model remained weak to the difficulty that Grymalyuk reported, so Parallels launched one other model that lastly mounted the flaw — Parallels Desktop 19.3.1 — greater than a month later, on the finish of April. MITRE issued the CVE for the vulnerability on Might 7, and the bug was lastly disclosed on Might 30.
Impartial researcher Mickey Jin, nevertheless, stated he discovered a bypass for the brand new patch nearly instantly, reporting it first to Development Micro’s Zero Day Initiative (ZDI) after which later Parallels. In a blog post on the difficulty, the safety researcher described the difficulty as having to do with a verification course of the patch makes use of to vet the authenticity of an Apple macOS command-line utility.
Jin stated he discovered two exploit paths to bypass the verification mechanism: one through what is named a TOCTOU assault and the opposite by injecting a malicious dynamic library into the Apple binary to instantly bypass the verification course of. TOCTOU, for Time-of-Check to Time-of-Use, is a vulnerability that happens when there is a time hole between checking a situation and utilizing a useful resource, permitting an attacker to maliciously alter the useful resource throughout that hole. As MITRE notes, “This weak spot might be security-relevant when an attacker can affect the state of the useful resource between examine and use.”
Delayed Vendor Response?
Within the weblog publish, Jin stated he had reported the difficulty to Parallels safety again in July 2024 and waited futilely for seven months for the corporate to reply earlier than deciding to go public along with his findings on Feb. 20.
“Because the vendor Parallels is enjoying deaf and dumb, I’ve to reveal the zero-day exploit now.” Jin wrote.
Canada-based Alludo, which acquired Parallels a number of years in the past, didn’t reply to a Darkish Studying inquiry searching for info on the vulnerability and the corporate’s plans for addressing it. Nevertheless, in a message to Jin — later shared by the security researcher on X — a member of Alludo Safety apologized for the corporate’s prolonged delay and requested that he take down the vulnerability disclosure till a repair was obtainable.
“It seems to be like wires received crossed and other people ended up ignoring your messages,” the e-mail to Jin famous. It promised a evaluation of the corporate’s inside communications processes to make sure an identical incident would not reoccur in future.
“After your electronic mail yesterday, we escalated the difficulty internally and deliberate to ship a response as we speak,” Alludo’s electronic mail dated Feb. 21 famous. “It seems to be such as you already revealed the vulnerability although — are you able to please take away the publish till we are able to get a repair in place?”
Nevertheless, as of Feb. 24, the weblog publish stays up, and Alludo has issued no patch.
