SB2023031022 - Multiple vulnerabilities in Parallels Desktop

Description

This security bulletin contains information about 3 vulnerabilities.

1) Path traversal (CVE-ID: CVE-2023-27326)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear

The vulnerability allows a local user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences within the Toolgate component. A local administrator can send a specially crafted HTTP request and execute arbitrary code with elevated privileges.

2) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2023-27327)

CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a time-of-check-time-of-use (TOCTOU) race condition within the Toolgate component. A local administrator can gain elevated privileges on the target system.

3) XML injection (CVE-ID: CVE-2023-27328)

CWE-ID: CWE-91 - XML Injection

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper input validation when processing XML data within the Toolgate component. A local user can pass specially crafted XML data to the application and gain elevated privileges on the system.

Remediation

Install update from vendor's website.

References

• https://www.zerodayinitiative.com/advisories/ZDI-23-221/
• https://kb.parallels.com/125013
• https://www.zerodayinitiative.com/advisories/ZDI-23-215/
• https://www.zerodayinitiative.com/advisories/ZDI-23-220/