Full Report
Two different exploits for an unpatched Parallels Desktop privilege elevation vulnerability have been publicly disclosed, allowing users to gain root access on impacted Mac devices. [...]
Analysis Summary
Based on the context provided, here is the structured vulnerability summary. Note that specific CVE IDs, CVSS scores, and full product version lists are missing from the provided text, so placeholders are used where information is unavailable or inferred.
# Vulnerability: Post-Patch Bypass for Parallels Desktop Root Privilege Escalation
## CVE Details
- CVE ID: [Likely a new/unassigned CVE, pending vendor disclosure]
- CVSS Score: [Unknown, but assumed High due to root privilege escalation] (Severity: High)
- CWE: [Likely related to Improper Access Control or Race Condition (CWE-362)]
## Affected Systems
- Products: Parallels Desktop
- Versions: All versions starting from 19.4.0 up to and including 20.2.1 (55876). Versions before 19.4.0 may also be affected by the initial flaw/first exploit variant.
- Configurations: Standard installations are vulnerable.
## Vulnerability Description
The vulnerability involves a severe privilege escalation flaw within Parallels Desktop that allows a local, unprivileged user to gain **root privileges** on the host macOS system.
The flaw centers on bypassing Parallels' patch intended to verify if the `createinstallmedia` tool is Apple-signed before granting it root access. Attackers can exploit this in at least two ways:
1. **TOCTOU Race Condition:** An attacker exploits a race condition between the signature check and execution of `createinstallmedia`. The attacker substitutes a malicious script for the legitimate signed binary during this brief window, gaining root execution.
2. **Arbitrary Root-Own File Overwrite:** An attacker manipulates the `do_repack_manual` function (introduced when reverting changes made in 19.4.1) to overwrite arbitrary files owned by root, specifically by using symlinks to redirect privileged writes, allowing the replacement of critical root-executed binaries like `p7z_tool`.
## Exploitation
- Status: **Exploited in the Wild** (Implied by researcher urgency and PoC development)
- Complexity: High (involves timing-based attacks or complex function manipulation)
- Attack Vector: Local
## Impact
- Confidentiality: High (Root grants access to all system data)
- Integrity: High (Full control over the operating system kernel and files)
- Availability: High (Ability to disrupt system processes)
## Remediation
### Patches
- **Parallels Desktop 19.4.1:** This version introduced a seemingly mitigating change by switching to `do_repack_manual`, but this change introduced the second, distinct file overwrite vulnerability.
- **Parallels Desktop 20.2.1 (55876) and older:** These versions are confirmed to be vulnerable to at least one of the bypass methods.
- **Action:** Users must await the official patch addressing all bypasses from Parallels.
### Workarounds
- No explicit, confirmed vendor workarounds were provided in the article.
- **Mitigation:** Restrict user access to applications capable of manipulating local files or creating complex link structures, although this exploitation path appears robust against simple measures.
## Detection
- **Indicators of Compromise:** Look for unexpected execution of system tools with root privileges originating from user space processes related to Parallels Desktop operations, especially involving installer paths or dynamic library loading.
- **Detection Methods and Tools:** Standard host-based intrusion detection systems (HIDS) monitoring for unexpected modifications to system binaries or race condition patterns during known privileged operations may be effective in post-exploitation analysis.
## References
- [bleepingcomputer.com/news/security/exploits-for-unpatched-parallels-desktop-flaw-give-root-on-macs/](bleepingcomputer.com/news/security/exploits-for-unpatched-parallels-desktop-flaw-give-root-on-macs/)