Local Privilege Escalation in Parallels Access Agent 6.5.3
CVE-2022-34900

7.8HIGH

Key Information:

Vendor: Parallels
Status: Access
Vendor: CVE Published:; 18 July 2022

What is CVE-2022-34900?

This security vulnerability in Parallels Access 6.5.3 allows local attackers to escalate their privileges. The flaw exists within the Dispatcher service, which improperly loads an OpenSSL configuration file from an unsecured location. An attacker, who is able to execute low-privileged code on the target system, can exploit this issue to gain elevated privileges and execute arbitrary code in the context of the SYSTEM user. This creates significant security risks for users of affected installations.

Affected Version(s)

Access 6.5.3 (39313)

References

https://kb.parallels.com/en/129010

x_refsource_MISC

https://www.zerodayinitiative.com/advisories/ZDI-22-945/

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 18, 2022
Vulnerability Reserved
Jul 1, 2022

Credit

Xavier Danest - Decathlon