CVE-2024-34331

Name of the Vulnerable Software and Affected Versions Parallels Desktop versions 19.3.0 and below

Description The issue is related to a lack of code signature verification in Parallels Desktop for Mac, which allows attackers to escalate privileges via a crafted macOS installer because Parallels Service is setuid root. This can be exploited by using a crafted macOS installer to gain root privileges. There are two ways to exploit this vulnerability: one is by using a Time-of-Check-to-Time-of-Use (TOCTOU) attack to exploit the race condition between the verification of the createinstallmedia tool and its execution with root privileges, and the other is by manipulating the do repack manual function, which is vulnerable to arbitrary file overwrite by the root user.

Recommendations For Parallels Desktop versions 19.3.0 and below: As a temporary workaround, consider disabling the setuid bit on the Parallels Service binary to prevent it from running with root privileges until a patch is available. For all versions: Restrict access to the createinstallmedia tool and the do repack manual function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.