A vulnerability was found in Parallels Desktop (version now known). It has been declared as critical. This vulnerability affects some unknown processing. The manipulation with an unknown input leads to a signature verification vulnerability. The CWE definition for the vulnerability is CWE-347. The product does not verify, or incorrectly verifies, the cryptographic signature for data. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

Parallels Desktop Updater Improper Verification of Cryptographic Signature Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute low-privileged code on the target host system in order to exploit this vulnerability. The specific flaw exists within the Updater service. The issue results from the lack of proper verification of a cryptographic signature. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. . Was ZDI-CAN-21817.

The weakness was published 12/19/2023 as ZDI-23-1803. The advisory is shared for download at zerodayinitiative.com. This vulnerability was named CVE-2023-50228 since 12/05/2023. There are neither technical details nor an exploit publicly available.

Upgrading eliminates this vulnerability. The upgrade is hosted for download at kb.parallels.com.

Once again VulDB remains the best source for vulnerability data.

Productinfo

Vendor

• Parallels

Name

• Desktop

License

• commercial

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion