Parallels Desktop Updater Time-Of-Check Time-Of-Use Local Privilege Escalation Vulnerability
CVE-2023-27323

7.8HIGH

Key Information:

Vendor: Parallels
Status: Desktop
Vendor: CVE Published:; 3 May 2024

What is CVE-2023-27323?

A local privilege escalation vulnerability exists in the Updater service of Parallels Desktop, allowing local attackers to execute arbitrary code with elevated privileges. To exploit this vulnerability, an attacker must first gain the ability to run low-privileged code on the target host system. The flaw is specifically tied to the improper handling of symbolic links in the Updater service. When an attacker creates a symbolic link pointing to a malicious file, they can leverage this vulnerability to escalate their privileges and execute code in the context of the root user. The impact of this vulnerability is significant, enabling unauthorized access and control over the host system.

Affected Version(s)

Desktop 18.0.0 (53049)

References

https://www.zerodayinitiative.com/advisories/ZDI-23-217/

x_research-advisory

https://kb.parallels.com/125013

vendor-advisory

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 3, 2024
Vulnerability Reserved
Feb 28, 2023