• Home
  • |
  • Blog
  • |
  • Fix These Privilege Escalation Vulnerabilities In Parallel Desktop- CVE-2021-34987 & CVE-2021-34986
fix these Privilege Escalation Vulnerabilities in Parallel Desktop

Parallel Desktops has disclosed two serious privilege escalation vulnerabilities in Parallels desktops application. The First vulnerability, CVE-2021-34987 is a HDAudio buffer overflow local privilege escalation vulnerability that allows local attackers to escalate privileges on malicious installations of Parallels Desktops. The Second one is CVE-2021-34986 is a Time-of-Check Time-of-Use privilege escalation vulnerability that allows attackers to escalate privileges on the affected installation of Parallels Desktop. These vulnerabilities allow attackers to escalate privileges and execute arbitrary code in the context of hypervisor and root, respectively. There is a need to fix these vulnerabilities. In this post, let’s see how to fix these privilege escalation vulnerabilities in Parallels Desktop- CVE-2021-34987 & CVE-2021-34986.

About Parallels Desktops:

Parallels Desktop is a fast, easy, and powerful application for running Windows on Mac without a reboot. It allows you to run thousands of Windows applications like Internet Explorer, Microsoft Office, Quicken, Access, etc., without compromising the performance.

Summary Of CVE-2021-34987:

The vulnerability CVE-2021-34987 allows a local administrator to escalate privileges on the target system. It exists because the application does not impose security restrictions within the HDAudio virtual device, leading to privilege escalation and security restrictions bypass. 

Associated CVE IDCVE-2021-34987
DescriptionA Local Privilege Escalation Vulnerability in Parallel Desktop
Associated ZDI IDZDI-CAN-14969
CVSS Score8.2 High
VectorCVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV)Local
Attack Complexity (AC)Low
Privilege Required (PR)High
User Interaction (UI)None
ScopeChanged
Confidentiality (C)High
Integrity (I)High
availability (a)High

Summary Of CVE-2021-34987:

The vulnerability CVE-2021-34986 allows a local user to escalate privileges on the target system. It exists due to the Time-of-check Time-of-use condition within the Parallels desktop. A user can create a symbolic link, abuse service to execute a file, and gain escalated privileges on the system.

Associated CVE IDCVE-2021-44731
DescriptionA Local Privilege Escalation Vulnerability in Parallel Desktop
Associated ZDI IDZDI-CAN-13932
CVSS Score7.8 High
VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV)Local
Attack Complexity (AC)Low
Privilege Required (PR)Low
User Interaction (UI)None
ScopeUnchanged
Confidentiality (C)High
Integrity (I)High
availability (a)High

Parallels Desktop Versions Affected By These Two LPE Vulnerabilities

Parallels Desktop versions before 17.1.0 51516 are affected by CVE-2021-34987 and CVE-2021-34986 privilege escalation vulnerabilities. Make sure that your mac should have the Parallel Desktop equal to or above the v17.1.0 51516.

How To Fix These Privilege Escalation Vulnerabilities In Parallels Desktops?

Install Parallels Desktop updates to maintain your Parallels Desktop product’s security. Click on the Parallels Desktop menu on the Mac menu bar and check for updates. If there is an update available, you will see the option to download and install it.

The table shows the security update for the version that needs to be fixed.

Name or IDFixed in VersionRelease Date
ZDI-CAN-14969ZDI-CAN-1393217.1.0 (51516)October 14, 2021

Click here for more security updates for Parallels Desktop vulnerabilities.

We hope this post would help you know How to Fix These Privilege Escalation Vulnerabilities in Parallel Desktop- CVE-2021-34987 & CVE-2021-34986. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.