SB2023031022 - Multiple vulnerabilities in Parallels Desktop

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Path traversal (CVE-ID: CVE-2023-27326)

The vulnerability allows a local user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences within the Toolgate component. A local administrator can send a specially crafted HTTP request and execute arbitrary code with elevated privileges.

2) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2023-27327)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a time-of-check-time-of-use (TOCTOU) race condition within the Toolgate component. A local administrator can gain elevated privileges on the target system.

3) XML injection (CVE-ID: CVE-2023-27328)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper input validation when processing XML data within the Toolgate component. A local user can pass specially crafted XML data to the application and gain elevated privileges on the system.

Remediation

Install update from vendor's website.

References

• https://www.zerodayinitiative.com/advisories/ZDI-23-221/
• https://kb.parallels.com/125013
• https://www.zerodayinitiative.com/advisories/ZDI-23-215/
• https://www.zerodayinitiative.com/advisories/ZDI-23-220/