CVE-2024-6153

Parallels Desktop Updater Protection Mechanism Failure Software Downgrade Vulnerability. This vulnerability allows local attackers to downgrade Parallels software on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute low-privileged code on the target host system in order to exploit this vulnerability. The specific flaw exists within the Updater service. The issue results from the lack of proper validation of version information before performing an update. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-19481.
References
Link Resource
https://www.zerodayinitiative.com/advisories/ZDI-24-803/ Third Party Advisory VDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-24-803/ Third Party Advisory VDB Entry
Configurations

Configuration 1 (hide)

cpe:2.3:a:parallels:parallels_desktop:*:*:*:*:*:*:*:*

History

21 Nov 2024, 09:49

Type Values Removed Values Added
References () https://www.zerodayinitiative.com/advisories/ZDI-24-803/ - Third Party Advisory, VDB Entry () https://www.zerodayinitiative.com/advisories/ZDI-24-803/ - Third Party Advisory, VDB Entry

25 Sep 2024, 14:44

Type Values Removed Values Added
Summary
  • (es) Vulnerabilidad de degradación del software de falla del mecanismo de protección de Parallels Desktop Updater. Esta vulnerabilidad permite a atacantes locales degradar el software de Parallels en las instalaciones afectadas de Parallels Desktop. Un atacante primero debe obtener la capacidad de ejecutar código con pocos privilegios en el sistema host de destino para poder aprovechar esta vulnerabilidad. La falla específica existe dentro del servicio Updater. El problema se debe a la falta de validación adecuada de la información de la versión antes de realizar una actualización. Un atacante puede aprovechar esto junto con otras vulnerabilidades para escalar privilegios y ejecutar código arbitrario en el contexto raíz. Era ZDI-CAN-19481.
CWE NVD-CWE-Other
First Time Parallels
Parallels parallels Desktop
References () https://www.zerodayinitiative.com/advisories/ZDI-24-803/ - () https://www.zerodayinitiative.com/advisories/ZDI-24-803/ - Third Party Advisory, VDB Entry
CPE cpe:2.3:a:parallels:parallels_desktop:*:*:*:*:*:*:*:*

20 Jun 2024, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-20 20:15

Updated : 2024-11-21 09:49


NVD link : CVE-2024-6153

Mitre link : CVE-2024-6153

CVE.ORG link : CVE-2024-6153


JSON object : View

Products Affected

parallels

  • parallels_desktop
CWE
CWE-693

Protection Mechanism Failure

NVD-CWE-Other