CVE-2021-27242 – This vulnerability in Parallels Desktop allows ... (How to Fix)

Q: What is the severity of CVE-2021-27242?

CVE-2021-27242 has a CVSS score of 8.8 (HIGH). This vulnerability in Parallels Desktop allows local attackers with initial low-privileged access to a guest virtual machine to escalate privileges and execute arbitrary code in the hypervisor context. The flaw exists in the Toolgate component due to improper validation of user-supplied data leading to memory corruption. Only Parallels Desktop installations are affected.

📋 TL;DR

This vulnerability in Parallels Desktop allows local attackers with initial low-privileged access to a guest virtual machine to escalate privileges and execute arbitrary code in the hypervisor context. The flaw exists in the Toolgate component due to improper validation of user-supplied data leading to memory corruption. Only Parallels Desktop installations are affected.

💻 Affected Systems

Products:

Parallels Desktop

Versions: 16.0.1-48919 and earlier versions

Operating Systems: macOS (host system)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations of vulnerable Parallels Desktop versions regardless of configuration. Guest OS type does not matter.

📦 What is this software?

Parallels Desktop by Parallels

View all CVEs affecting Parallels Desktop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the host system through hypervisor escape, allowing attacker to execute arbitrary code with hypervisor privileges and potentially access all VMs and host resources.

🟠

Likely Case

Privilege escalation from guest VM user to hypervisor-level access, enabling lateral movement to other VMs and host system compromise.

🟢

If Mitigated

Limited to guest VM isolation breach if proper network segmentation and access controls are implemented.

🌐 Internet-Facing: LOW - Requires local access to guest VM, not directly exploitable from internet.

🏢 Internal Only: HIGH - Malicious insider or compromised guest VM can exploit this to breach host and other VMs.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires existing low-privileged access to guest VM. ZDI advisory suggests exploit is reliable. No public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Parallels Desktop 16.1.0 or later

Vendor Advisory: https://kb.parallels.com/en/125013

Restart Required: Yes

Instructions:

1. Open Parallels Desktop. 2. Go to Help > Check for Updates. 3. Install update to version 16.1.0 or later. 4. Restart Parallels Desktop and affected VMs.

🔧 Temporary Workarounds

Disable Toolgate component

macos

Temporarily disable the vulnerable Toolgate component to prevent exploitation

Not available - requires configuration changes in Parallels Desktop settings

Restrict guest VM network access

all

Isolate vulnerable guest VMs from sensitive networks and other VMs

Configure VM network settings to use isolated or NAT-only networking

🧯 If You Can't Patch

Isolate affected VMs on separate network segments with strict firewall rules
Implement strict access controls and monitoring for guest VM user activities

🔍 How to Verify

Check if Vulnerable:

Check Parallels Desktop version: Open Parallels Desktop > About Parallels Desktop. If version is 16.0.1-48919 or earlier, system is vulnerable.

Check Version:

Not applicable - check via GUI in About Parallels Desktop

Verify Fix Applied:

Verify version is 16.1.0 or later in About Parallels Desktop dialog.

📡 Detection & Monitoring

Log Indicators:

Unusual Toolgate component activity
Guest VM processes attempting hypervisor calls
Privilege escalation attempts from guest VMs

Network Indicators:

Guest VM making unexpected network connections to host or other VMs post-exploitation

SIEM Query:

Not applicable - host-based monitoring required

📊 Metadata

CVE ID: CVE-2021-27242

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-787

Published: March 29, 2021

Last Updated: November 21, 2024

🔗 References

https://kb.parallels.com/en/125013 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-209/ Third Party Advisory,VDB Entry
https://kb.parallels.com/en/125013 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-209/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27242, you might also want to check these: