CVE-2021-31426 – This vulnerability in Parallels Desktop allows ... (How to Fix)

Q: What is the severity of CVE-2021-31426?

CVE-2021-31426 has a CVSS score of 8.8 (HIGH). This vulnerability in Parallels Desktop allows local attackers with initial low-privileged access to escalate privileges to kernel-level execution through an integer overflow in the Parallels Tools component. It affects Parallels Desktop installations on macOS systems running vulnerable versions. Attackers can execute arbitrary code in the kernel context of the guest virtual machine.

📋 TL;DR

This vulnerability in Parallels Desktop allows local attackers with initial low-privileged access to escalate privileges to kernel-level execution through an integer overflow in the Parallels Tools component. It affects Parallels Desktop installations on macOS systems running vulnerable versions. Attackers can execute arbitrary code in the kernel context of the guest virtual machine.

💻 Affected Systems

Products:

Parallels Desktop

Versions: 16.1.2-49151 and earlier versions

Operating Systems: macOS (host), various guest OSes

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Parallels Tools to be installed on guest systems. The vulnerability exists in the Parallels Tools component.

📦 What is this software?

Parallels Desktop by Parallels

View all CVEs affecting Parallels Desktop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the guest virtual machine with kernel-level code execution, potentially leading to host system compromise if additional vulnerabilities exist.

🟠

Likely Case

Privilege escalation within the guest virtual machine allowing attackers to bypass security controls and access sensitive data.

🟢

If Mitigated

Limited impact if proper access controls prevent local code execution or if the vulnerability is patched.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring initial access to the system.

🏢 Internal Only: HIGH - Once an attacker gains low-privileged access to a vulnerable system, they can escalate to kernel privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and ability to execute low-privileged code first. The integer overflow requires specific conditions to trigger.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Parallels Desktop 16.1.3 or later

Vendor Advisory: https://kb.parallels.com/en/125013

Restart Required: Yes

Instructions:

1. Open Parallels Desktop. 2. Go to Parallels Desktop menu > Check for Updates. 3. Install available updates. 4. Restart affected virtual machines.

🔧 Temporary Workarounds

Disable Parallels Tools

all

Remove or disable Parallels Tools from guest virtual machines to eliminate the vulnerable component.

Within guest VM: Uninstall Parallels Tools using the appropriate uninstaller

Restrict Local Access

all

Implement strict access controls to prevent unauthorized local code execution on guest systems.

🧯 If You Can't Patch

Isolate vulnerable virtual machines from sensitive networks and systems
Implement application whitelisting to prevent execution of unauthorized code on guest systems

🔍 How to Verify

Check if Vulnerable:

Check Parallels Desktop version: In macOS, open Parallels Desktop > About Parallels Desktop. If version is 16.1.2-49151 or earlier, system is vulnerable.

Check Version:

On macOS host: /Applications/Parallels\ Desktop.app/Contents/MacOS/prlsrvctl -V

Verify Fix Applied:

Verify Parallels Desktop version is 16.1.3 or later. Check that all virtual machines have been restarted after update.

📡 Detection & Monitoring

Log Indicators:

Unusual privilege escalation attempts in guest system logs
Kernel module loading anomalies in guest OS

Network Indicators:

Unusual outbound connections from guest VM after local access

SIEM Query:

source="guest-vm-logs" AND (event_type="privilege_escalation" OR process_name="parallels-tools")

📊 Metadata

CVE ID: CVE-2021-31426

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-190

Published: April 29, 2021

Last Updated: November 21, 2024

🔗 References

https://kb.parallels.com/en/125013 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-433/ Third Party Advisory,VDB Entry
https://kb.parallels.com/en/125013 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-433/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31426, you might also want to check these: