Parallels Desktop: Security researcher publishes zero-day exploit
Because Parallels allegedly did not respond, a security researcher demonstrates how the virtualizer can be used to gain root rights on a Mac.
(Image: Nanain/Shutterstock.com)
An apparently insufficiently patched vulnerability in Parallels Desktop could allow a local attacker to gain root privileges in macOS – and thus take control of the computer. The corresponding zero-day exploit for this vulnerability has now been publicly disclosed by a security researcher in two variants. He wants to create awareness of the problem and urge customers of the software to "proactively minimize risks", emphasized security researcher Mickey Jin –. After all, attackers could exploit the flaw "in the wild".
Exploits bypass existing patch
Parallels Desktop is software that can be used to virtualize other operating systems under macOS, including Windows and Linux. The tool is aimed at private users as well as companies, for example to be able to use certain Windows software in parallel on employees' Macs.
The exploits make use of a vulnerability that enables privilege escalation. This bug (CVE-2024-34331), which was reported last year, was fixed by Parallels Desktop with an update. However, the patch is "really easy to bypass", writes Jin. He immediately reported this to the Zero Day Initiative (ZDI) and the manufacturer Parallels. Although the latter confirmed receipt of his security-critical bug report, there was no further response. ZDI took more than a month and was apparently unable to reproduce the first exploit because a new Parallels version was available in the meantime.
Ultimately, the manufacturer has not responded to his inquiries since the end of July 2024, according to Jin, which is why he has now decided to publish it.
Root rights via command line tool
The original vulnerability, discovered by another security researcher, apparently used a missing verification of a code signature in Parallels Desktop to gain root privileges. The patch consists of first verifying that the command line tool "createinstallmedia" is actually Apple-signed, explains the security researcher. Between the successful verification of the signature and the launch of the tool, however, an attacker has enough time to replace createinstallmedia with a malicious tool – and obtain root rights at the same time.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(lbe)
