PT-2023-25855 · Parsec+1 · Parsec Loader+1
Julian Horoszkiewicz
·
Published
2023-08-20
·
Updated
2024-10-17
·
CVE-2023-37250
CVSS v3.1
7.0
High
| Vector | AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Unity Parsec versions prior to 9
Parsec Loader versions prior to 9
Description
The issue is a Time-of-check-to-time-of-use (TOCTOU) race condition that allows local attackers to escalate privileges to SYSTEM if Parsec was installed in "Per User" mode. The application intentionally launches DLLs from a user-owned directory but intended to always perform integrity verification of those DLLs.
Recommendations
For Unity Parsec versions prior to 9, update to version 9 to resolve the issue.
For Parsec Loader versions prior to 9, update to version 9 to resolve the issue.
As a temporary workaround, consider restricting access to the user-owned directory where the DLLs are launched to minimize the risk of exploitation.
Fix
Time Of Check To Time Of Use
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Parsec Loader
Unity Parsec