Parallels Desktop 17.1.1 ACPI Virtual Device out-of-bounds

A vulnerability has been found in Parallels Desktop 17.1.1 and classified as critical. This vulnerability affects some unknown functionality of the component ACPI Virtual Device. There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Field07/19/2022 11:34 AM08/06/2022 02:15 PM
vendorParallelsParallels
nameDesktopDesktop
version17.1.117.1.1
componentACPI Virtual DeviceACPI Virtual Device
cwe125 (out-of-bounds)125 (out-of-bounds)
risk11
cvss3_vuldb_avNN
cvss3_vuldb_acLL
cvss3_vuldb_prHH
cvss3_vuldb_uiNN
cvss3_vuldb_sUU
cvss3_vuldb_cHH
cvss3_vuldb_iHH
cvss3_vuldb_aHH
cvss3_vuldb_rcCC
cvss3_cna_avLL
cvss3_cna_acLL
cvss3_cna_prHH
cvss3_cna_uiNN
cvss3_cna_sCC
cvss3_cna_cHH
cvss3_cna_iHH
cvss3_cna_aHH
urlhttps://www.zerodayinitiative.com/advisories/ZDI-22-940/https://www.zerodayinitiative.com/advisories/ZDI-22-940/
confirm_urlhttps://kb.parallels.com/125013https://kb.parallels.com/125013
cveCVE-2022-34889CVE-2022-34889
cve_assigned1656540000 (06/30/2022)1656540000 (06/30/2022)
cve_cnaZero Day InitiativeZero Day Initiative
cve_nvd_summaryThis vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 17.1.1 (51537). An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the ACPI virtual device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-16554.This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 17.1.1 (51537). An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the ACPI virtual device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-16554.
date1658181600 (07/19/2022)1658181600 (07/19/2022)
cvss2_vuldb_avNN
cvss2_vuldb_acLL
cvss2_vuldb_auMM
cvss2_vuldb_ciCC
cvss2_vuldb_iiCC
cvss2_vuldb_aiCC
cvss2_vuldb_rcCC
cvss2_vuldb_eNDND
cvss2_vuldb_rlNDND
cvss3_vuldb_eXX
cvss3_vuldb_rlXX
cvss3_cna_basescore8.28.2
cvss2_vuldb_basescore8.38.3
cvss2_vuldb_tempscore8.38.3
cvss3_vuldb_basescore7.27.2
cvss3_vuldb_tempscore7.27.2
cvss3_meta_basescore7.77.9
cvss3_meta_tempscore7.77.9
price_0day$0-$5k$0-$5k
cvss3_nvd_avL
cvss3_nvd_acL
cvss3_nvd_prH
cvss3_nvd_uiN
cvss3_nvd_sC
cvss3_nvd_cH
cvss3_nvd_iH
cvss3_nvd_aH
cvss3_nvd_basescore8.2

Interested in the pricing of exploits?

See the underground prices here!