Security researchers have dropped a significant zero-day vulnerability in Parallels Desktop that could allow attackers to gain root privileges on macOS systems. The flaw, which affects the latest version 20.2.1 (55876) of the popular virtualization software, stems from improper validation in the application's repack functionality.
The vulnerability builds upon a previous security issue (CVE-2024-34331) and involves two distinct methods to bypass Parallels' existing security patch. The first exploit leverages a Time-of-Check-Time-of-Use (TOCTOU) attack, while the second method takes advantage of weak signature verification requirements.
According to the researcher's detailed technical analysis, the vulnerability allows an attacker to replace the legitimate "createinstallmedia" tool with a malicious version after it passes the initial signature verification check. This creates a window of opportunity for privilege escalation to root access.
The researcher has responsibly reported the vulnerability to both the Zero Day Initiative (ZDI) and Parallels directly, after initially discovering the bypass in May 2024. Despite multiple follow-up attempts over seven months, the researcher reports receiving inadequate responses from both parties.
"Since the vendor Parallels is playing deaf and dumb, I have to disclose the 0-day exploit now," the researcher stated in their disclosure, highlighting the challenges faced during the responsible disclosure process.
The vulnerability affects multiple versions of Parallels Desktop, including version 19.4.0 and the current release. Users are advised to exercise caution when using the software's repack functionality until a security patch is made available.
Neither Parallels nor the Zero Day Initiative has publicly commented on the disclosure at the time of publication.