Lucene search

K
zdiKn32ZDI-23-215
HistoryMar 07, 2023 - 12:00 a.m.

Parallels Desktop Toolgate Time-Of-Check Time-Of-Use Local Privilege Escalation Vulnerability

2023-03-0700:00:00
kn32
www.zerodayinitiative.com
7
vulnerability
local attacker
privilege escalation
parallels desktop
toolgate component
high-privileged code
exploit
lack of proper locking
arbitrary code

7.5 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

3.4 Low

CVSS2

Access Vector

LOCAL

Access Complexity

HIGH

Authentication

MULTIPLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:H/Au:M/C:P/I:P/A:P

0.0005 Low

EPSS

Percentile

16.2%

This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the current user on the host system.

7.5 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

3.4 Low

CVSS2

Access Vector

LOCAL

Access Complexity

HIGH

Authentication

MULTIPLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:H/Au:M/C:P/I:P/A:P

0.0005 Low

EPSS

Percentile

16.2%

Related for ZDI-23-215