A critical vulnerability identified as CVE-2024-34331 has been uncovered in Parallels Desktop, a widely used virtualization software, enabling attackers to escalate privileges to root level on macOS systems. This security flaw affects all versions of Parallels Desktop, including the most recent version 20.2.1 (55876). The vulnerability arises from insufficient security controls within the software’s macOS installer repackaging subsystem, subsequently exploited through multiple bypass techniques. Given the severe nature of this exploit, users must take immediate action to mitigate potential risks and protect their systems from possible attacks.
Understanding the Vulnerability
Security researcher Mickey Jin publicly released proof-of-concept (PoC) exploits that demonstrate how attackers can exploit CVE-2024-34331 by leveraging flaws in the repackaging script of Parallels Desktop. Within the repack_osx_install_app.sh script, the security flaw resides and becomes susceptible when the script handles macOS installer repackaging operations with root privileges via the prl_disp_service daemon. Jin’s PoC provided two avenues for exploitation—Time-of-Check to Time-of-Use (TOCTOU) and Weak Signature Enforcement via DYLIB Injection.
In the TOCTOU bypass, an attacker can replace the legitimate createinstallmedia binary with a malicious payload during a narrow window between signature verification and binary execution. This means that by crafting a fake macOS installer bundle and triggering Parallels’ repackaging workflow, attackers can execute commands with root privileges. The second exploit takes advantage of weak signature enforcement, enabling the injection of malicious dynamic libraries (DYLIBs) into binaries that pass Apple’s signature verification. Environment variable manipulation or DYLD_INSERT_LIBRARIES allows malicious payloads to bypass security controls while appearing as legitimate Apple-signed binaries.
Evolution of Exploits and Vendor Responses
Parallels responded to the original identified vulnerabilities by releasing version 19.4.1, in which they swapped the existing function with the do_repack_manual function, introducing 7z compression for installer creation. Despite these attempts, Jin discovered additional path traversal vulnerabilities in the function’s CFBundleDisplayName parameter handling. By manipulating the CFBundleDisplayName parameter, attackers could create symbolic links or replace binaries with malicious payloads during temporary file operations.
During subsequent updates, the vendor reverted to the vulnerable do_repack_createinstallmedia method in version 20.2.1, thereby reactivating the original exploiting vectors. The repercussions of this reversion kept the vulnerability exploitable in the latest versions, as demonstrated by a video showcasing successful privilege escalation on updated systems. Keeping systems unpatched remains a critical risk for organizations relying on Parallels Desktop.
Immediate Steps to Mitigate Risk
To mitigate the potential risks posed by CVE-2024-34331, system administrators and users should adopt several immediate defensive measures. One crucial step is removing SUID (Set Owner User ID upon execution) permissions from Parallels tools. The removal of SUID permissions diminishes the ability of attackers to execute malicious payloads with root privileges. Implementing network segmentation for Parallels Desktop systems can further isolate vulnerable environments and restrict unauthorized access.
Close monitoring for unauthorized file creation in the /Library/lpe directory is equally vital, as this signifies attack vectors leveraged during exploitation. Administrators should consider employing security tools capable of detecting anomalies in file creation and execution patterns. By continuously monitoring critical directories and system behaviors, organizations can detect potential exploit attempts and address them preemptively.
Weighing Operational Necessity Versus Security Risks
Organizations utilizing Parallels Desktop must evaluate the operational necessity of this virtualization software against its potential security risks, especially in the absence of an immediate official patch release. Detailed risk assessments should be conducted to understand the extent of exposure within enterprise environments. While awaiting an official patch from Parallels, it remains imperative to enforce robust security controls and inform teams about the active threat landscape and necessary mitigation strategies.
Employing alternative virtualization software or temporarily suspending the use of Parallels Desktop could be considered as added precautionary measures, particularly in high-risk environments. Until a permanent fix is released, organizations should prioritize maintaining the security and integrity of their systems by minimizing potential attack surfaces and introducing comprehensive security measures to protect sensitive data and assets.
Long-Term Security Considerations
A critical vulnerability known as CVE-2024-34331 has been discovered in Parallels Desktop, a widely utilized virtualization software, allowing attackers to escalate privileges to root level on macOS systems. This security issue impacts all versions of Parallels Desktop, even the latest version 20.2.1 (55876). The vulnerability stems from inadequate security controls within the software’s macOS installer repackaging subsystem, which can be exploited through multiple bypass techniques. Given the severity of this exploit, users are urged to act promptly to reduce potential risks. Immediate actions include updating the software with any available patches released by Parallels, closely monitoring system activity for unusual behavior, and employing additional security measures such as robust antivirus software. Preventative steps are imperative to protect systems from potential attacks that could compromise sensitive data and system integrity.
