Vulnerability identifier: #VU34898

Vulnerability risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-17148

CWE-ID: CWE-269

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Parallels Desktop
Operating systems & Components / Operating system package or component

Vendor: Parallels

Description

The vulnerability allows a local authenticated user to execute arbitrary code.

This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop Parallels Desktop version 14.1.3 (45485). An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Parallels Service. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of root. Was ZDI-CAN-8685.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Parallels Desktop: 14.1.3

---

External links
http://www.zerodayinitiative.com/advisories/ZDI-19-1028/

---

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.