CVE-2021-34987 – This is a buffer overflow vulnerability in Para... (How to Fix)

Q: What is the severity of CVE-2021-34987?

CVE-2021-34987 has a CVSS score of 8.2 (HIGH). This is a buffer overflow vulnerability in Parallels Desktop's HDAudio virtual device that allows local attackers with high-privileged code execution on a guest system to escalate privileges to hypervisor level. It affects Parallels Desktop installations where attackers can already execute code on guest virtual machines. The vulnerability enables arbitrary code execution in the hypervisor context.

📋 TL;DR

This is a buffer overflow vulnerability in Parallels Desktop's HDAudio virtual device that allows local attackers with high-privileged code execution on a guest system to escalate privileges to hypervisor level. It affects Parallels Desktop installations where attackers can already execute code on guest virtual machines. The vulnerability enables arbitrary code execution in the hypervisor context.

💻 Affected Systems

Products:

Parallels Desktop

Versions: 16.5.1 (49187) and potentially earlier versions

Operating Systems: macOS (host system)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires HDAudio virtual device to be enabled (common default configuration). Only affects guest VMs where attacker has high-privileged code execution capability.

📦 What is this software?

Parallels Desktop by Parallels

View all CVEs affecting Parallels Desktop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the hypervisor allowing attacker to escape guest VM isolation, access host system and other VMs, and execute arbitrary code with hypervisor privileges.

🟠

Likely Case

Privilege escalation from guest VM to hypervisor level, enabling persistence, lateral movement to other VMs, and host system compromise.

🟢

If Mitigated

Limited impact if guest VMs are properly isolated and attackers cannot obtain initial high-privileged code execution on guest systems.

🌐 Internet-Facing: LOW - Requires local access to guest VM with high privileges, not directly exploitable from internet.

🏢 Internal Only: MEDIUM - Requires attacker to already have high-privileged access to guest VM, making it relevant for insider threats or multi-stage attacks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires attacker to first obtain high-privileged code execution on target guest system. Exploit involves triggering buffer overflow in HDAudio device driver.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Parallels Desktop 17.0.0 or later

Vendor Advisory: https://kb.parallels.com/en/125013

Restart Required: Yes

Instructions:

1. Open Parallels Desktop. 2. Go to Help > Check for Updates. 3. Install available updates. 4. Restart Parallels Desktop and affected virtual machines.

🔧 Temporary Workarounds

Disable HDAudio virtual device

all

Remove or disable the HDAudio virtual device from vulnerable virtual machines

1. Shut down the VM. 2. Open VM configuration. 3. Navigate to Hardware > Sound. 4. Change sound device type from 'HDAudio' to 'None' or alternative.

Restrict guest VM privileges

all

Implement strict access controls on guest VMs to prevent attackers from obtaining high-privileged code execution

Implement least privilege principles, disable unnecessary services, use application whitelisting, and enforce strong authentication on guest VMs.

🧯 If You Can't Patch

Isolate vulnerable VMs from critical systems and networks
Implement strict monitoring and logging for suspicious activity on guest VMs

🔍 How to Verify

Check if Vulnerable:

Check Parallels Desktop version: In Parallels Desktop, go to About Parallels Desktop. If version is 16.5.1 (49187) or earlier, system is vulnerable.

Check Version:

In macOS Terminal: /usr/libexec/PlistBuddy -c 'Print :CFBundleShortVersionString' /Applications/Parallels\ Desktop.app/Contents/Info.plist

Verify Fix Applied:

Verify Parallels Desktop version is 17.0.0 or later. Check that HDAudio device is either updated or disabled in VM configuration.

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from Parallels components
Crash logs from Parallels kernel extensions
Suspicious hypervisor-level activity

Network Indicators:

Unusual network traffic from Parallels processes
Unexpected connections between VMs or to host

SIEM Query:

source="parallels*" AND (event_type="crash" OR process_name="*hdaudio*" OR severity="high")

📊 Metadata

CVE ID: CVE-2021-34987

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-120

Published: July 15, 2022

Last Updated: November 21, 2024

🔗 References

https://kb.parallels.com/en/125013 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-386/ Third Party Advisory,VDB Entry
https://kb.parallels.com/en/125013 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-386/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34987, you might also want to check these: