Parallel Desktops has disclosed two serious privilege escalation vulnerabilities in Parallels desktops application. The First vulnerability, CVE-2021-34987 is a HDAudio buffer overflow local privilege escalation vulnerability that allows local attackers to escalate privileges on malicious installations of Parallels Desktops. The Second one is CVE-2021-34986 is a Time-of-Check Time-of-Use privilege escalation vulnerability that allows attackers to escalate privileges on the affected installation of Parallels Desktop. These vulnerabilities allow attackers to escalate privileges and execute arbitrary code in the context of hypervisor and root, respectively. There is a need to fix these vulnerabilities. In this post, let’s see how to fix these privilege escalation vulnerabilities in Parallels Desktop- CVE-2021-34987 & CVE-2021-34986.
Table of Contents
About Parallels Desktops:
Parallels Desktop is a fast, easy, and powerful application for running Windows on Mac without a reboot. It allows you to run thousands of Windows applications like Internet Explorer, Microsoft Office, Quicken, Access, etc., without compromising the performance.
Summary Of CVE-2021-34987:
The vulnerability CVE-2021-34987 allows a local administrator to escalate privileges on the target system. It exists because the application does not impose security restrictions within the HDAudio virtual device, leading to privilege escalation and security restrictions bypass.
| Associated CVE ID | CVE-2021-34987 |
| Description | A Local Privilege Escalation Vulnerability in Parallel Desktop |
| Associated ZDI ID | ZDI-CAN-14969 |
| CVSS Score | 8.2 High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| Impact Score | – |
| Exploitability Score | – |
| Attack Vector (AV) | Local |
| Attack Complexity (AC) | Low |
| Privilege Required (PR) | High |
| User Interaction (UI) | None |
| Scope | Changed |
| Confidentiality (C) | High |
| Integrity (I) | High |
| availability (a) | High |
Summary Of CVE-2021-34987:
The vulnerability CVE-2021-34986 allows a local user to escalate privileges on the target system. It exists due to the Time-of-check Time-of-use condition within the Parallels desktop. A user can create a symbolic link, abuse service to execute a file, and gain escalated privileges on the system.
| Associated CVE ID | CVE-2021-44731 |
| Description | A Local Privilege Escalation Vulnerability in Parallel Desktop |
| Associated ZDI ID | ZDI-CAN-13932 |
| CVSS Score | 7.8 High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Impact Score | |
| Exploitability Score | |
| Attack Vector (AV) | Local |
| Attack Complexity (AC) | Low |
| Privilege Required (PR) | Low |
| User Interaction (UI) | None |
| Scope | Unchanged |
| Confidentiality (C) | High |
| Integrity (I) | High |
| availability (a) | High |
Parallels Desktop Versions Affected By These Two LPE Vulnerabilities
Parallels Desktop versions before 17.1.0 51516 are affected by CVE-2021-34987 and CVE-2021-34986 privilege escalation vulnerabilities. Make sure that your mac should have the Parallel Desktop equal to or above the v17.1.0 51516.
How To Fix These Privilege Escalation Vulnerabilities In Parallels Desktops?
Install Parallels Desktop updates to maintain your Parallels Desktop product’s security. Click on the Parallels Desktop menu on the Mac menu bar and check for updates. If there is an update available, you will see the option to download and install it.
The table shows the security update for the version that needs to be fixed.
| Name or ID | Fixed in Version | Release Date |
| ZDI-CAN-14969ZDI-CAN-13932 | 17.1.0 (51516) | October 14, 2021 |
How to configure Parallels Desktop to automatically check for updates?
It is too simple and easy to update the Parallel Desktops applications on mac. Just follow these steps to configure auto-update.
- Go to Parallels Desktop menu > Preferences > General
- Verify that the ‘Download updates automatically’ check-box is checked
- Schedule how often the updates are need to check
Click here for more security updates for Parallels Desktop vulnerabilities.
We hope this post would help you know How to Fix These Privilege Escalation Vulnerabilities in Parallel Desktop- CVE-2021-34987 & CVE-2021-34986. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
