CVE-2021-31422 – This vulnerability allows local attackers with ... (How to Fix)

Q: What is the severity of CVE-2021-31422?

CVE-2021-31422 has a CVSS score of 7.5 (HIGH). This vulnerability allows local attackers with high-privileged code execution on a Parallels Desktop guest system to escalate privileges to hypervisor level through a race condition in the e1000e virtual device. It affects Parallels Desktop installations where untrusted users have access to guest VMs. The flaw results from improper locking mechanisms during object operations.

📋 TL;DR

This vulnerability allows local attackers with high-privileged code execution on a Parallels Desktop guest system to escalate privileges to hypervisor level through a race condition in the e1000e virtual device. It affects Parallels Desktop installations where untrusted users have access to guest VMs. The flaw results from improper locking mechanisms during object operations.

💻 Affected Systems

Products:

Parallels Desktop

Versions: 16.1.1-49141 and earlier versions

Operating Systems: macOS (host system)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Parallels Desktop with e1000e virtual network adapter enabled. Guest OS type doesn't matter as vulnerability is in hypervisor component.

📦 What is this software?

Parallels Desktop by Parallels

View all CVEs affecting Parallels Desktop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the hypervisor host system, allowing arbitrary code execution at the highest privilege level, potentially leading to host takeover and compromise of all guest VMs.

🟠

Likely Case

Privilege escalation from guest VM administrator to hypervisor-level access, enabling lateral movement to other VMs and host system compromise.

🟢

If Mitigated

Limited to guest VM isolation breach without host compromise if proper network segmentation and hypervisor hardening are implemented.

🌐 Internet-Facing: LOW - Requires local access to guest VM with high privileges, not directly exploitable from internet.

🏢 Internal Only: HIGH - Significant risk in environments where users have administrative access to guest VMs, enabling lateral movement and host compromise.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires existing high-privileged access on guest VM. Exploitation involves race condition timing, making it moderately complex but feasible for skilled attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 16.1.2-49153 and later

Vendor Advisory: https://kb.parallels.com/en/125013

Restart Required: Yes

Instructions:

1. Open Parallels Desktop. 2. Go to Help → Check for Updates. 3. Install update 16.1.2-49153 or later. 4. Restart all running VMs and the host system.

🔧 Temporary Workarounds

Disable e1000e network adapter

all

Replace e1000e virtual network adapter with alternative adapter types in VM configuration

Restrict guest VM privileges

all

Limit user access to guest VMs and remove administrative privileges where possible

🧯 If You Can't Patch

Isolate vulnerable VMs on separate network segments to limit lateral movement
Implement strict access controls and monitoring for guest VM administrative activities

🔍 How to Verify

Check if Vulnerable:

Check Parallels Desktop version: Open Parallels Desktop → About Parallels Desktop. If version is 16.1.1-49141 or earlier, system is vulnerable.

Check Version:

On macOS terminal: /Applications/Parallels\ Desktop.app/Contents/MacOS/prlsrvctl info | grep Version

Verify Fix Applied:

Verify version is 16.1.2-49153 or later in About Parallels Desktop dialog.

📡 Detection & Monitoring

Log Indicators:

Unusual hypervisor process activity
Guest VM attempting privileged operations outside normal scope
Race condition patterns in virtualization logs

Network Indicators:

Unexpected network traffic between VMs and hypervisor management interfaces

SIEM Query:

source="parallels*" AND (event_type="privilege_escalation" OR process_name="e1000e")

📊 Metadata

CVE ID: CVE-2021-31422

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-367

Published: April 29, 2021

Last Updated: November 21, 2024

🔗 References

https://kb.parallels.com/en/125013 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-430/ Third Party Advisory,VDB Entry
https://kb.parallels.com/en/125013 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-430/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31422, you might also want to check these: