SB2025060433 - Multiple vulnerabilities in Parallels Desktop for Mac
Published: June 4, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) UNIX Hard Link (CVE-ID: CVE-2024-36486)
The vulnerability allows a local user to compromise the target system.
The vulnerability exists due to the unarchive hard link issue in the virtual machine archive restoration functionality. A local user can use the hard link to write to an arbitrary file and gain elevated privileges on the system.
2) UNIX Hard Link (CVE-ID: CVE-2024-54189)
The vulnerability allows a local user to compromise the target system.
The vulnerability exists due to the unarchive hard link issue in the Snapshot functionality. A local user can use the hard link to write to an arbitrary file and gain elevated privileges on the system.
3) Incorrect Ownership Assignment (CVE-ID: CVE-2024-52561)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to symlink change ownership in the Snapshot functionality. A local user can change the ownership of files owned by root to a lower-privilege user and gain elevated privileges.
Remediation
Install update from vendor's website.
References
- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2126
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2126
- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2124
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2124
- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2123
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2123