Improper Privilege Management in Parallels Desktop - CVE-2019-17148
Published: January 8, 2020 / Updated: August 8, 2020
Vulnerability identifier: #VU34898
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-17148
CWE-ID: CWE-269
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Parallels
Affected software:
Parallels Desktop
Parallels Desktop
Detailed vulnerability description
The vulnerability allows a local authenticated user to execute arbitrary code.
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop Parallels Desktop version 14.1.3 (45485). An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Parallels Service. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of root. Was ZDI-CAN-8685.
How to mitigate CVE-2019-17148
Install update from vendor's website.