CVE-2020-17399

Published: Aug 25, 2020Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Exploitability: 2.0 / Impact: 6.0

Source: NVD

Description

This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15.1.4. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the prl_hypervisor kext. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the kernel. Was ZDI-CAN-11303.

Affected (1)

Products: Parallels: Parallels Desktop

1 product

Parallels Desktop

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Parallels Parallels Desktop	Before 16.0.0

Related CWEs

Improper Validation of Array Index

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

References (4)

https://kb.parallels.com/en/125013

Source: zdi-disclosures@trendmicro.com

Vendor Advisory

https://www.zerodayinitiative.com/advisories/ZDI-20-1017/

Source: zdi-disclosures@trendmicro.com

Third Party AdvisoryVDB Entry

https://kb.parallels.com/en/125013

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.zerodayinitiative.com/advisories/ZDI-20-1017/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

Timeline

No history available yet.