Parallels Desktop 0-Day Vulnerability: A Detailed Analysis

A critical 0-day vulnerability has been discovered in Parallels Desktop virtualization software, Parallels Desktop 0-Day Vulnerability, that threatens macOS systems. The CVE-2024-34331 vulnerability enables local attackers to escalate their privileges to root-level access. The latest version, 20.2.1 (55876), among other releases, is affected, and this flaw puts numerous Intel-based macOS devices at risk. In this article, we explore the technical details of the vulnerability, discuss how the exploit works, review the evolution of the attack techniques, and provide guidance on how system administrators can mitigate the risk.

Understanding the Parallels Desktop 0-Day Vulnerability

Parallels Desktop is widely used for virtualization on macOS, allowing users to run multiple operating systems simultaneously. However, the software’s repackaging subsystem has a critical flaw that exposes a significant security gap. This vulnerability resides within the repack_osx_install_app.sh script, which is responsible for handling macOS installer repackaging operations.

How the Vulnerability Occurs

The repackaging script operates with root privileges through the prl_disp_service daemon. The original patch for CVE-2024-34331 introduced a verification step for the createinstallmedia binary by implementing Apple’s code signature verification with the command:

codesign -v -R= "anchor apple"

This command is intended to ensure that only binaries signed by Apple can be executed. Unfortunately, the verification process does not fully secure the repackaging workflow. Researchers have discovered that attackers can bypass these measures using two distinct methods, which could lead to successful privilege escalation.

Detailed Exploitation Techniques

Security researcher Mickey Jin (@patch1t) has demonstrated the vulnerability through publicly available proof-of-concept (PoC) exploits. His research shows that previously patched privilege escalation flaws can be exploited using two main methods. Understanding these techniques is crucial for recognizing the potential impact on affected systems.

Time-of-Check to Time-of-Use (TOCTOU) Exploitation

The first bypass mechanism takes advantage of a gap in the timing between the verification of the code signature and the subsequent execution of the binary. This classic Time-of-Check to Time-of-Use (TOCTOU) flaw allows an attacker to replace the legitimate createinstallmedia binary with a malicious payload during this small window of opportunity.

How TOCTOU Exploitation Works

During the repackaging process, Parallels Desktop checks the code signature of the createinstallmedia binary. Once this check is complete, the binary is executed. However, researchers have demonstrated that an attacker can intervene between these two steps. For example, Jin’s first PoC (exploit1.sh) involves creating a fake macOS installer bundle in which the binary (for instance, /bin/ls) is made to masquerade as the legitimate createinstallmedia. This attack swaps the binary for a payload script during the temporary directory creation phase.

Once the malicious script is in place, it is executed with root privileges via the SUID-enabled prl_disp_service daemon. This privilege escalation allows the attacker to execute arbitrary commands on the system. A typical demonstration involves creating a file, such as by running:

touch /Library/lp

This command exemplifies how attackers might establish persistence on the system, leaving behind evidence of the exploit and a foothold for further actions.

Weak Signature Enforcement via DYLIB Injection

The second bypass mechanism exploits Parallels Desktop’s enforcement of code signature verification. The “anchor apple” requirement in the code signature check means that any binary signed by Apple, such as /bin/ls, can pass the verification step. Attackers leverage this leniency by injecting malicious dynamic libraries (DYLIBs) into these binaries.

Exploiting DYLIB Injection

The DYLIB injection technique involves manipulating environment variables, such as DYLD_INSERT_LIBRARIES, which forces the system to load additional dynamic libraries when executing a binary. Even though the binary retains a legitimate Apple signature, the injected DYLIB contains malicious code. This bypasses the intended security check and allows the malicious code to run with elevated privileges.

This method effectively turns a security feature into an attack vector by subverting the inherent trust in Apple-signed binaries. This is particularly dangerous because it leverages existing components within the operating system that are usually considered secure.

Evolution of the Exploit Techniques

Parallels Desktop’s developers attempted to mitigate the vulnerability in version 19.4.1 by switching the repackaging function from do_repack_createinstallmedia to do_repack_manual. This new method employed 7z compression for creating the installer, theoretically sidestepping the original vulnerability.

The 7z Compression Approach and Its Shortcomings

Despite the change to a different repackaging function, further research revealed that the new approach had flaws. Mickey Jin discovered a path traversal vulnerability within the handling of the CFBundleDisplayName parameter in the do_repack_manual function. Attackers can manipulate this parameter by setting its value to a directory traversal string such as:

../../../../../../tmp/link/result

By doing so, the attacker can cause the repackaging process to create symbolic links that redirect to directories owned by the root user. This opens up the possibility of replacing the 7z binary with a malicious payload during temporary file operations. Ultimately, even this new function provided a vector for privilege escalation via the exact underlying mechanism the original flaw exploited.

Reverting to the Vulnerable Method

Surprisingly, the vendor reverted to the original do_repack_createinstallmedia method in version 20.2.1. This reversion reactivated the initial exploit vectors that the introduction of the manual repackaging function had temporarily mitigated. As a result, the vulnerability remains active in the latest version of Parallels Desktop, making it imperative for users and administrators to be vigilant.

A video demonstration of the exploit on updated systems shows attackers can achieve privilege escalation, confirming that the risk is actual and imminent.

Impact on macOS Systems and Security Considerations

Exploiting this vulnerability has significant implications for macOS users, particularly those using Intel-based systems. While Apple Silicon devices remain unaffected due to different virtualization frameworks, the impact on vulnerable systems is considerable.

Affected Systems

All Intel-based macOS systems running Parallels Desktop versions 16.0.0 through 20.2.1 are susceptible to this exploit. This broad range of affected versions underscores the urgency of addressing the flaw, especially in enterprise environments where Parallels Desktop is a standard tool for virtualized macOS instances.

Potential Consequences of Exploitation

If an attacker successfully exploits this vulnerability, several severe consequences may follow:

• Persistent Root Access: The attacker can create arbitrary files and execute commands with root privileges, potentially leaving behind a persistent foothold on the system.
• Bypass of macOS TCC Protections: The exploit could allow an attacker to circumvent macOS Transparency, Consent, and Control (TCC) protections, leading to further compromise of system security.
• Virtual Machine Escape: In multi-user environments, attackers may use this vulnerability to escape the confines of a virtual machine, thereby gaining access to the host system and other virtual machines running on it.

The combination of these factors makes this vulnerability particularly dangerous, as it compromises individual systems and can lead to broader network compromises.

Mitigation Strategies and Recommendations

With working proof-of-concept exploits publicly available, the threat posed by this vulnerability is severe. Until an official patch is released by Parallels, system administrators and users must take proactive measures to reduce the risk of exploitation.

Immediate Steps for Mitigation

One of the most effective immediate measures is removing SUID permissions from Parallels Desktop tools. SUID permissions allow executables to run with elevated privileges, and removing them can significantly reduce the attack surface.

Administrators can remove SUID permissions with a command similar to:

sudo chmod -s /Applications/Parallels\ Desktop.app/Contents/MacOS/*

This command turns off the ability of the binaries to be executed with root privileges, which limits the potential for an attacker to leverage the vulnerability.

Network Segmentation and Monitoring

Another important mitigation strategy is network segmentation. By isolating systems that run Parallels Desktop from critical network resources, you limit the potential impact if an attacker gains access through the vulnerability. Network segmentation ensures that the attacker’s lateral movement is restricted even if one machine is compromised.

In addition to segmentation, continuous monitoring for suspicious activity is crucial. For instance, creating unexpected files, such as the file /Library/lpe, should trigger alerts. Such files can indicate that an attacker has successfully exploited the vulnerability. By monitoring system logs and employing intrusion detection systems (IDS), administrators can identify and respond to attacks in their early stages.

Assessing the Use of Parallels Desktop

Given the severity of the vulnerability, organizations should carefully evaluate the necessity of continuing to use Parallels Desktop until a fix is released. For some enterprises, the risks outweigh the benefits, mainly if alternative virtualization solutions do not have the same vulnerabilities. This assessment should include a risk-benefit analysis that weighs operational needs against the potential for security breaches.

Keeping Systems Updated and Prepared

While waiting for an official patch, users must stay informed about updates from Parallels and related security advisories. This includes subscribing to security bulletins, monitoring trusted cybersecurity news sources, and applying any interim fixes or configuration changes recommended by security experts.

Administrators should also consider conducting regular security audits and vulnerability assessments on their systems. Organizations can better prepare themselves for potential exploitation attempts and refine their incident response strategies by simulating attack scenarios and testing defenses.

Broader Implications and Lessons Learned

The disclosure of CVE-2024-34331 reminds us of the importance of rigorous security practices in software development, especially in applications with elevated privileges. Organizations and software developers can learn several key lessons from this incident.

Importance of Timely Patch Management

This incident underscores the need for swift and thorough patch management. Although Parallels attempted to patch the vulnerability by introducing a code signature verification step, the subsequent discovery of bypass techniques and the reversion to vulnerable methods highlight the complexities of securing legacy systems. Organizations should ensure that patches are not only deployed quickly but are also thoroughly tested for potential bypasses.

Coordination with Security Researchers

Security researchers like Mickey Jin are critical in identifying and publicizing vulnerabilities before they can be widely exploited. This incident highlights the importance of coordinated vulnerability disclosure and the need for software vendors to work closely with researchers to address flaws promptly and comprehensively.

Reassessing Trust in Code Signatures

While code signing is a powerful security mechanism, this vulnerability reveals that relying solely on signature verification can be insufficient if attackers can exploit timing gaps or inject malicious code through trusted channels. Developers must adopt a multi-layered security approach that includes, but is not limited to, code signing, secure coding practices, and continuous system behavior monitoring.

Final Thoughts and Future Directions

The critical vulnerability in Parallels Desktop is a stark reminder of how even well-established software can harbor significant security flaws. With working exploit proofs now available, the risk of real-world attacks is considerable, and the window for safe operation is rapidly closing.

Organizations using Parallels Desktop, especially on Intel-based macOS systems, must implement immediate mitigation measures while re-evaluating their reliance on the software. The potential for attackers to gain persistent root access and escape virtual environments calls for a comprehensive review of system architecture, access controls, and network segmentation.

In the future, vendors and users must prioritize a proactive stance on cybersecurity. For vendors like Parallels, this means patching vulnerabilities as discovered and investing in robust security audits and continuous improvement of their software development lifecycle. For users, it means staying informed, applying recommended mitigations promptly, and considering alternative solutions where feasible.

In conclusion, until Parallels releases an official patch, taking immediate steps to reduce risk is imperative. Remove unnecessary SUID permissions, segment your network, closely monitor for suspicious activities, and evaluate whether the operational benefits of Parallels Desktop justify the security risks involved. Doing so can help safeguard your macOS systems from a potentially devastating attack vector.

By remaining vigilant and adopting a layered approach to security, organizations can mitigate the immediate threat posed by CVE-2024-34331 while preparing for future vulnerabilities. The incident serves as a crucial case study in modern cybersecurity, illustrating that no system is immune to sophisticated attack techniques and that continuous improvement and adaptation are necessary to stay ahead of potential threats.

For more:

https://cybersecuritynews.com/parallels-desktop-0-day-vulnerability/