Parallels Desktop 17.1.1 ACPI Virtual Device out-of-bounds

A vulnerability has been found in Parallels Desktop 17.1.1 and classified as critical. This vulnerability affects some unknown functionality of the component ACPI Virtual Device. There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Field	07/19/2022 11:34 AM	08/06/2022 02:15 PM
vendor	Parallels	Parallels
name	Desktop	Desktop
version	17.1.1	17.1.1
component	ACPI Virtual Device	ACPI Virtual Device
cwe	125 (out-of-bounds)	125 (out-of-bounds)
risk	1	1
cvss3_vuldb_av	N	N
cvss3_vuldb_ac	L	L
cvss3_vuldb_pr	H	H
cvss3_vuldb_ui	N	N
cvss3_vuldb_s	U	U
cvss3_vuldb_c	H	H
cvss3_vuldb_i	H	H
cvss3_vuldb_a	H	H
cvss3_vuldb_rc	C	C
cvss3_cna_av	L	L
cvss3_cna_ac	L	L
cvss3_cna_pr	H	H
cvss3_cna_ui	N	N
cvss3_cna_s	C	C
cvss3_cna_c	H	H
cvss3_cna_i	H	H
cvss3_cna_a	H	H
url	https://www.zerodayinitiative.com/advisories/ZDI-22-940/	https://www.zerodayinitiative.com/advisories/ZDI-22-940/
confirm_url	https://kb.parallels.com/125013	https://kb.parallels.com/125013
cve	CVE-2022-34889	CVE-2022-34889
cve_assigned	1656540000 (06/30/2022)	1656540000 (06/30/2022)
cve_cna	Zero Day Initiative	Zero Day Initiative
cve_nvd_summary	This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 17.1.1 (51537). An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the ACPI virtual device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-16554.	This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 17.1.1 (51537). An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the ACPI virtual device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-16554.
date	1658181600 (07/19/2022)	1658181600 (07/19/2022)
cvss2_vuldb_av	N	N
cvss2_vuldb_ac	L	L
cvss2_vuldb_au	M	M
cvss2_vuldb_ci	C	C
cvss2_vuldb_ii	C	C
cvss2_vuldb_ai	C	C
cvss2_vuldb_rc	C	C
cvss2_vuldb_e	ND	ND
cvss2_vuldb_rl	ND	ND
cvss3_vuldb_e	X	X
cvss3_vuldb_rl	X	X
cvss3_cna_basescore	8.2	8.2
cvss2_vuldb_basescore	8.3	8.3
cvss2_vuldb_tempscore	8.3	8.3
cvss3_vuldb_basescore	7.2	7.2
cvss3_vuldb_tempscore	7.2	7.2
cvss3_meta_basescore	7.7	7.9
cvss3_meta_tempscore	7.7	7.9
price_0day	$0-$5k	$0-$5k
cvss3_nvd_av		L
cvss3_nvd_ac		L
cvss3_nvd_pr		H
cvss3_nvd_ui		N
cvss3_nvd_s		C
cvss3_nvd_c		H
cvss3_nvd_i		H
cvss3_nvd_a		H
cvss3_nvd_basescore		8.2

◂ Previous Overview Next ▸

Interested in the pricing of exploits?

See the underground prices here!