Multiple vulnerabilities in Parallels Desktop
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2021-34854 CVE-2021-34857 CVE-2021-34855 CVE-2021-34856 |
| CWE-ID | CWE-789 CWE-787 CWE-200 CWE-264 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Parallels Desktop Operating systems & Components / Operating system package or component |
| Vendor | Parallels |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Uncontrolled Memory Allocation
EUVDB-ID: #VU55530
Risk: Low
CVSSv4.0: 4.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-34854
CWE-ID:
CWE-789 - Uncontrolled Memory Allocation
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to uncontrolled memory allocation in the Toolgate component. A local user can escalate privileges and execute arbitrary code in the context of the hypervisor.
MitigationInstall updates from vendor's website.
Vulnerable software versionsParallels Desktop: before 16.5.1
CPE2.3 External linkshttps://www.zerodayinitiative.com/advisories/ZDI-21-937/
https://kb.parallels.com/125013
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Out-of-bounds write
EUVDB-ID: #VU55533
Risk: Low
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-34857
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a local user to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input within the Toolgate component. A local administrator can trigger out-of-bounds write and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsParallels Desktop: before 16.5.1
CPE2.3 External linkshttps://www.zerodayinitiative.com/advisories/ZDI-21-940/
https://kb.parallels.com/125013
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Information disclosure
EUVDB-ID: #VU55532
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-34855
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to the lack of proper initialization of memory within the Toolgate component. A local user can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsParallels Desktop: before 16.5.1
CPE2.3 External linkshttps://www.zerodayinitiative.com/advisories/ZDI-21-939/
https://kb.parallels.com/125013
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU55531
Risk: Low
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-34856
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a memory corruption condition in the virtio-gpu virtual device. A local administrator can escalate privileges and execute arbitrary code in the context of the hypervisor.
MitigationInstall updates from vendor's website.
Vulnerable software versionsParallels Desktop: before 16.5.1
CPE2.3 External linkshttps://www.zerodayinitiative.com/advisories/ZDI-21-938/
https://kb.parallels.com/125013
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
