SB2021080307 - Multiple vulnerabilities in Parallels Desktop

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Uncontrolled Memory Allocation (CVE-ID: CVE-2021-34854)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to uncontrolled memory allocation in the Toolgate component. A local user can escalate privileges and execute arbitrary code in the context of the hypervisor.

2) Out-of-bounds write (CVE-ID: CVE-2021-34857)

The vulnerability allows a local user to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input within the Toolgate component. A local administrator can trigger out-of-bounds write and execute arbitrary code on the target system.

3) Information disclosure (CVE-ID: CVE-2021-34855)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to the lack of proper initialization of memory within the Toolgate component. A local user can gain unauthorized access to sensitive information on the system.

4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-34856)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a memory corruption condition in the virtio-gpu virtual device. A local administrator can escalate privileges and execute arbitrary code in the context of the hypervisor. 

Remediation

Install update from vendor's website.

References

• https://www.zerodayinitiative.com/advisories/ZDI-21-937/
• https://kb.parallels.com/125013
• https://www.zerodayinitiative.com/advisories/ZDI-21-940/
• https://www.zerodayinitiative.com/advisories/ZDI-21-939/
• https://www.zerodayinitiative.com/advisories/ZDI-21-938/