CVE-2021-31420 – This is a local privilege escalation vulnerabil... (How to Fix)

Q: What is the severity of CVE-2021-31420?

CVE-2021-31420 has a CVSS score of 8.8 (HIGH). This is a local privilege escalation vulnerability in Parallels Desktop's Toolgate component. Attackers with low-privileged access to a guest VM can exploit a stack-based buffer overflow to execute arbitrary code with hypervisor privileges. Only affects Parallels Desktop installations with vulnerable versions.

📋 TL;DR

This is a local privilege escalation vulnerability in Parallels Desktop's Toolgate component. Attackers with low-privileged access to a guest VM can exploit a stack-based buffer overflow to execute arbitrary code with hypervisor privileges. Only affects Parallels Desktop installations with vulnerable versions.

💻 Affected Systems

Products:

Parallels Desktop

Versions: 16.1.0-48950 and earlier versions

Operating Systems: macOS (host), Windows/Linux/macOS (guest VMs)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations of vulnerable Parallels Desktop versions regardless of guest OS type.

📦 What is this software?

Parallels Desktop by Parallels

View all CVEs affecting Parallels Desktop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the hypervisor host system, allowing attackers to escape the VM sandbox and gain full control over the host operating system.

🟠

Likely Case

Privilege escalation within the guest VM to hypervisor-level access, potentially leading to host system compromise if combined with other vulnerabilities.

🟢

If Mitigated

Limited to guest VM compromise without host escape if proper isolation controls are in place.

🌐 Internet-Facing: LOW - Requires local access to guest VM, not directly exploitable over network.

🏢 Internal Only: HIGH - Malicious insiders or compromised guest VMs can exploit this to gain hypervisor privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires existing low-privileged access to guest VM. ZDI advisory suggests exploit is reliable but requires specific conditions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 16.1.1-49151 and later

Vendor Advisory: https://kb.parallels.com/en/125013

Restart Required: Yes

Instructions:

1. Open Parallels Desktop. 2. Go to Help > Check for Updates. 3. Install update to version 16.1.1-49151 or later. 4. Restart all VMs and the host system.

🔧 Temporary Workarounds

Disable Toolgate component

all

Temporarily disable the vulnerable Toolgate component to prevent exploitation

Not recommended as it breaks VM functionality

🧯 If You Can't Patch

Isolate vulnerable VMs from critical systems
Restrict user access to guest VMs to trusted personnel only

🔍 How to Verify

Check if Vulnerable:

Check Parallels Desktop version: In macOS, open Parallels Desktop > About Parallels Desktop

Check Version:

On macOS: /Applications/Parallels\ Desktop.app/Contents/MacOS/prlsrvctl -V

Verify Fix Applied:

Verify version is 16.1.1-49151 or higher in About Parallels Desktop

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from Parallels tools
Toolgate component crashes
Privilege escalation attempts in guest VM logs

Network Indicators:

Not applicable - local exploit only

SIEM Query:

Process creation where parent process contains 'prl' and child process has elevated privileges

📊 Metadata

CVE ID: CVE-2021-31420

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-121

Published: April 29, 2021

Last Updated: November 21, 2024

🔗 References

https://kb.parallels.com/en/125013 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-428/ Third Party Advisory,VDB Entry
https://kb.parallels.com/en/125013 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-428/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31420, you might also want to check these: