CVE-2020-15860 in Remote Application Server
Summary
by MITRE • 01/25/2023
Parallels Remote Application Server (RAS) 17.1.1 has a Business Logic Error causing remote code execution. It allows an authenticated user to execute any application in the backend operating system through the web application, despite the affected application not being published. In addition, it was discovered that it is possible to access any host in the internal domain, even if it has no published applications or the mentioned host is no longer associated with that server farm.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/25/2023
The vulnerability identified as CVE-2020-15860 represents a critical business logic flaw within Parallels Remote Application Server version 17.1.1 that fundamentally undermines the security boundaries of the remote application delivery platform. This weakness manifests as an authentication bypass mechanism that allows authenticated users to escalate their privileges and execute arbitrary code on the backend operating systems through the web interface. The flaw occurs because the application fails to properly validate access controls and authorization checks when processing requests for published applications, creating a pathway for malicious actors to leverage their legitimate session to gain unauthorized system-level access. The vulnerability is particularly concerning because it operates outside the normal application publishing workflows that typically control what resources users can access, effectively bypassing the intended security model of the platform.
The technical implementation of this business logic error stems from inadequate input validation and access control mechanisms within the web application layer of Parallels RAS. When authenticated users make requests to the system, the application does not sufficiently verify whether the requested resource should be accessible based on the user's authorization level or the application's published status. This failure creates a scenario where users can construct malicious requests that reference unpublished applications or internal hosts, bypassing the normal security checks that would typically prevent such access. The vulnerability can be exploited through carefully crafted web requests that manipulate the application's internal resource resolution mechanisms, allowing attackers to execute commands on the underlying operating systems. This type of flaw aligns with CWE-862, which describes insufficient authorization weaknesses where the system fails to properly enforce access control policies.
The operational impact of CVE-2020-15860 extends far beyond simple remote code execution, as it provides attackers with the ability to move laterally within internal network environments. Once an attacker gains access through this vulnerability, they can potentially access any host within the internal domain that is part of the RAS server farm, regardless of whether those systems have published applications or are still associated with the server farm. This lateral movement capability significantly increases the potential damage scope, as attackers can target sensitive internal systems such as domain controllers, database servers, or other critical infrastructure components. The vulnerability essentially eliminates the network segmentation benefits that RAS is designed to provide, allowing attackers to traverse the internal network as if they were legitimate users with elevated privileges. From an adversarial perspective, this vulnerability maps to ATT&CK technique T1059, which covers command and script interpreter usage, and T1021.002, which addresses remote services exploitation, making it particularly attractive for threat actors seeking persistent access and reconnaissance within target environments.
Organizations affected by this vulnerability should implement immediate mitigations including updating to the latest version of Parallels RAS where the business logic error has been patched, implementing additional network segmentation measures, and conducting comprehensive access control reviews. The patch provided by Parallels addresses the core authorization validation issues by strengthening the access control checks within the web application layer and ensuring that all resource requests are properly validated against the published application catalog. Additional defensive measures should include monitoring for unusual access patterns, implementing network access controls to limit internal communication between RAS components, and establishing more granular user permissions. Security teams should also consider deploying intrusion detection systems that can identify the specific request patterns associated with this vulnerability, as well as conducting regular penetration testing to validate the effectiveness of implemented controls. The vulnerability demonstrates the critical importance of proper access control implementation and the potential for business logic flaws to create more severe security implications than traditional technical vulnerabilities.