Local Privilege Escalation Vulnerability in Parallels Desktop by Parallels
CVE-2021-34867

7.5HIGH

Key Information:

Vendor: Parallels
Status: Desktop
Vendor: CVE Published:; 25 January 2022

What is CVE-2021-34867?

A local privilege escalation vulnerability has been identified in Parallels Desktop, specifically in version 16.1.3-49160. This security issue allows local attackers to escalate their privileges by exploiting a flaw within the Toolgate component. The flaw arises from inadequate validation of user-supplied data, which may lead to uncontrolled memory allocation. To successfully exploit this vulnerability, an attacker must first gain access to execute high-privileged code on the target guest system. By leveraging this vulnerability, attackers can escalate privileges and execute arbitrary code in the context of the hypervisor, posing significant risks to system integrity and data security.

Affected Version(s)

Desktop 16.1.3-49160

References

https://kb.parallels.com/125013

x_refsource_MISC

https://www.zerodayinitiative.com/advisories/ZDI-21-1055/

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jan 25, 2022
Vulnerability Reserved
Jun 17, 2021

Credit

Reno Robert of Trend Micro Zero Day Initiative