SB2021042326 - Multiple vulnerabilities in Parallels Desktop
Published: April 23, 2021
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 13 vulnerabilities.
1) Path traversal (CVE-ID: CVE-2021-31421)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences within the Toolgate component. A local administrator can send a specially crafted HTTP request and delete arbitrary files on the system.
2) Out-of-bounds read (CVE-ID: CVE-2021-31432)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the IDE virtual device. A local administrator can trigger out-of-bounds read error and read contents of memory on the system.
3) Out-of-bounds read (CVE-ID: CVE-2021-31431)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the IDE virtual device. A local administrator can trigger out-of-bounds read error and read contents of memory on the system.
4) Out-of-bounds read (CVE-ID: CVE-2021-31430)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the IDE virtual device. A local administrator can trigger out-of-bounds read error and read contents of memory on the system.
5) Heap-based buffer overflow (CVE-ID: CVE-2021-31429)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the IDE virtual device. A local administrator can pass specially crafted data to the application, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
6) Heap-based buffer overflow (CVE-ID: CVE-2021-31428)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the IDE virtual device. A local administrator can pass specially crafted data to the application, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
7) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2021-31427)
CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to gain access to sensitive information on the system.
The vulnerability exists due to the lack of proper locking when performing operations on an object within the Open Tools Gate component. A local administrator can gain access to sensitive information on the target system.
8) Heap-based buffer overflow (CVE-ID: CVE-2021-31424)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the Open Tools Gate component. A local user can pass specially crafted data to the application, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
9) Integer overflow (CVE-ID: CVE-2021-31426)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow within the Parallels Tools component. A local user can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
10) Integer overflow (CVE-ID: CVE-2021-31425)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow within the Parallels Tools component. A local user can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
11) Out-of-bounds read (CVE-ID: CVE-2021-31423)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the Toolgate component. A local administrator can trigger out-of-bounds read error and read contents of memory on the system.
12) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2021-31422)
CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to the lack of proper locking when performing operations on an object within the e1000e virtual device. A local administrator can escalate privileges and execute arbitrary code on the system.
13) Stack-based buffer overflow (CVE-ID: CVE-2021-31420)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the Toolgate component. A local user can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.
References
- https://www.zerodayinitiative.com/advisories/ZDI-21-425/
- https://kb.parallels.com/en/125013
- https://www.zerodayinitiative.com/advisories/ZDI-21-440/
- https://www.zerodayinitiative.com/advisories/ZDI-21-439/
- https://www.zerodayinitiative.com/advisories/ZDI-21-438/
- https://www.zerodayinitiative.com/advisories/ZDI-21-437/
- https://www.zerodayinitiative.com/advisories/ZDI-21-436/
- https://www.zerodayinitiative.com/advisories/ZDI-21-435/
- https://www.zerodayinitiative.com/advisories/ZDI-21-434/
- https://www.zerodayinitiative.com/advisories/ZDI-21-433/
- https://www.zerodayinitiative.com/advisories/ZDI-21-432/
- https://www.zerodayinitiative.com/advisories/ZDI-21-431/
- https://www.zerodayinitiative.com/advisories/ZDI-21-430/
- https://www.zerodayinitiative.com/advisories/ZDI-21-428/