#VU34898 Improper Privilege Management in Parallels Desktop - CVE-2019-17148
Published: January 8, 2020 / Updated: August 8, 2020
Vulnerability identifier: #VU34898
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-17148
CWE-ID: CWE-269
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Parallels Desktop
Parallels Desktop
Software vendor:
Parallels
Parallels
Description
The vulnerability allows a local authenticated user to execute arbitrary code.
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop Parallels Desktop version 14.1.3 (45485). An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Parallels Service. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of root. Was ZDI-CAN-8685.
Remediation
Install update from vendor's website.