CVE-2022-34889 – This vulnerability in Parallels Desktop allows ... (How to Fix)

Q: What is the severity of CVE-2022-34889?

CVE-2022-34889 has a CVSS score of 8.2 (HIGH). This vulnerability in Parallels Desktop allows local attackers with high-privileged code execution on a guest VM to escalate privileges to hypervisor level through a buffer read overflow in the ACPI virtual device. It affects Parallels Desktop installations where untrusted users can run code on guest systems. The flaw enables arbitrary code execution in the hypervisor context.

📋 TL;DR

This vulnerability in Parallels Desktop allows local attackers with high-privileged code execution on a guest VM to escalate privileges to hypervisor level through a buffer read overflow in the ACPI virtual device. It affects Parallels Desktop installations where untrusted users can run code on guest systems. The flaw enables arbitrary code execution in the hypervisor context.

💻 Affected Systems

Products:

Parallels Desktop

Versions: 17.1.1 (51537) and earlier versions

Operating Systems: macOS (host system)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Parallels Desktop with ACPI virtual device enabled (default). Guest OS type doesn't matter as vulnerability is in hypervisor's ACPI emulation.

📦 What is this software?

Parallels Desktop by Parallels

View all CVEs affecting Parallels Desktop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the host system through hypervisor escape, allowing attacker to execute arbitrary code with highest privileges, access all VMs, and potentially persist across reboots.

🟠

Likely Case

Privilege escalation from guest VM administrator to hypervisor level, enabling lateral movement to other VMs and host system compromise.

🟢

If Mitigated

Limited to guest VM isolation breach if proper network segmentation and least privilege are enforced on guest systems.

🌐 Internet-Facing: LOW - Requires local access to guest VM with high privileges, not directly exploitable from internet.

🏢 Internal Only: HIGH - Malicious insider or compromised guest VM with administrative access can exploit to breach host and other VMs.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires existing high-privileged code execution on guest VM. Exploit involves crafting malicious ACPI requests to trigger buffer overflow.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 17.1.1 (51548) or later

Vendor Advisory: https://kb.parallels.com/125013

Restart Required: Yes

Instructions:

1. Open Parallels Desktop. 2. Go to Help > Check for Updates. 3. Install update 17.1.1 (51548) or later. 4. Restart all running VMs and Parallels Desktop.

🔧 Temporary Workarounds

Disable ACPI for non-essential VMs

all

Remove ACPI virtual device from VMs that don't require power management features

Parallels Desktop: VM Configuration > Hardware > Remove ACPI device

Restrict guest VM privileges

all

Limit administrative access on guest VMs to reduce attack surface

🧯 If You Can't Patch

Isolate vulnerable Parallels Desktop hosts from critical networks
Monitor for suspicious hypervisor activity and guest VM privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Parallels Desktop version: In Parallels Desktop, go to About Parallels Desktop. If version is 17.1.1 (51537) or earlier, system is vulnerable.

Check Version:

On macOS host: /usr/libexec/PlistBuddy -c 'Print :CFBundleShortVersionString' /Applications/Parallels\ Desktop.app/Contents/Info.plist

Verify Fix Applied:

Verify version is 17.1.1 (51548) or later in About Parallels Desktop. Test ACPI functionality in VMs remains operational.

📡 Detection & Monitoring

Log Indicators:

Unexpected ACPI device errors in guest VM logs
Hypervisor crash logs or unexpected restarts
Guest VM attempting privileged hypervisor operations

Network Indicators:

Unusual network traffic from host to other VMs post-exploit
Guest VM communicating with hypervisor management interfaces

SIEM Query:

source="parallels.log" AND ("ACPI error" OR "buffer overflow" OR "privilege escalation")

📊 Metadata

CVE ID: CVE-2022-34889

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-125

Published: July 18, 2022

Last Updated: November 21, 2024

🔗 References

https://kb.parallels.com/125013 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-940/ Third Party Advisory,VDB Entry
https://kb.parallels.com/125013 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-940/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-34889, you might also want to check these: