SB2020031713 - Multiple vulnerabilities in Parallels Desktop

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020031713

SB2020031713 - Multiple vulnerabilities in Parallels Desktop

Published: March 17, 2020

Security Bulletin ID SB2020031713
Severity
Low
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Local access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Out-of-bounds write (CVE-ID: CVE-2020-8871)

The vulnerability allows a local user to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input within the VGA virtual device. A local user can trigger out-of-bounds write, execute arbitrary code on the target system and gain elevated privileges.


2) Out-of-bounds read (CVE-ID: CVE-2020-8872)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the xHCI component. A local user can trigger out-of-bounds read error and read contents of memory on the system.


3) Integer overflow (CVE-ID: CVE-2020-8874)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to integer overflow in the xHCI component. A local user can trigger integer overflow and gain elevated privileges on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


4) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2020-8873)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a lack of proper locking when performing operations on an object within the xHCI component. An local user can gain elevated privileges on the target system.

5) Out-of-bounds write (CVE-ID: CVE-2020-8875)

The vulnerability allows a local user to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input within the IOCTL handler. A local user can trigger out-of-bounds write, execute arbitrary code on the target system and gain elevated privileges.


6) Out-of-bounds read (CVE-ID: CVE-2020-8876)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the IOCTL handler. A local user can trigger out-of-bounds read error and read contents of memory on the system.


Remediation

Install update from vendor's website.

References