Parallels Desktop
CVE-2024-6154
MEDIUM
Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Parallels Desktop Toolgate Heap-based Buffer Overflow Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability.
The specific flaw exists within the Toolgate component. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the current user on the host system. Was ZDI-CAN-20450.
AnalysisAI
Parallels Desktop Toolgate Heap-based Buffer Overflow Local Privilege Escalation Vulnerability. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-122. Parallels Desktop Toolgate Heap-based Buffer Overflow Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the current user on the host system. Was ZDI-CAN-20450. Affected products include: Parallels Parallels Desktop.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Parallels Desktop
View allDirectory traversal vulnerability in Parallels Desktop for Mac version 20.2.2 (build 55879) affecting the PVMP package u
Privilege escalation vulnerability in Parallels Desktop for Mac version 20.1.1 (build 55740) where the snapshot function
Privilege escalation vulnerability in Parallels Desktop for Mac 20.1.1 that allows a local attacker with user-level priv
Privilege escalation vulnerability in Parallels Desktop for Mac version 20.1.1 (build 55740) affecting the Snapshot dele
Improper privilege management vulnerability in Parallels Desktop Software, which affects versions earlier than 19.3.0. R
This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Deskt
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.3 (
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.3 (
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.3 (
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.2-4
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.2-4
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15.1.5-4
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today