A vulnerability was found in Parallels Desktop 15.1.2-47123 and classified as critical. This issue affects an unknown functionality of the component IOCTL Handler. The manipulation with an unknown input leads to a array index vulnerability. Using CWE to declare the problem leads to CWE-129. The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15.1.2-47123. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the IOCTL handler. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the kernel. Was ZDI-CAN-10028.

The weakness was shared 03/23/2020. The identification of this vulnerability is CVE-2020-8875 since 02/11/2020. An attack has to be approached locally. The successful exploitation needs a simple authentication. Neither technical details nor an exploit are publicly available.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The entries 152070, 152067, 152066 and 152065 are related to this item.

Productinfo

Name

• Parallels Desktop

Version

• 15.1.2-47123

License

• commercial

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion