The severity of the vulnerability is rated as high (8.8) using the Common Vulnerability Scoring System, version 3.0. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor,” according to a separate security advisory, also posted Wednesday.
“The issue results from the lack of proper access control. In a Wednesday security bulletin, first to widely disclose details of the bug, it was revealed that the vulnerability (CVE-2021-34864) is caused by improper access control in the Parallels’ WinAppHelper component. The flaw, according to Parallels, is specifically tied to the software’s Parallels Tools, a proxy for communications between the host macOS and the virtual machine’s operating system. The software maker stated that the recommended fixes need to be manually performed by end users and will likely “inconvenience” some while also reducing product functionality. The vulnerability allows malicious software running in a Parallels virtual machine (VM) to access macOS files shared in a default configuration of the software. Parallels Desktop, now owned by private equity giant KKR, is used by seven million users, according to the company, and allows Mac users to run Windows, Linux and other operating systems on their macOS. Mitigation advice comes five months after researchers first identified the bug in April. The makers of Parallels Desktop has released a workaround fix for a high-severity privilege escalation bug that impacts its Parallels Desktop 16 for Mac software and all older versions.
0 kommentar(er)
