CVE-2022-34899
📋 TL;DR
This is a local privilege escalation vulnerability in Parallels Access Agent that allows attackers with initial low-privileged access to gain root privileges by exploiting a symbolic link race condition in the Parallels service. It affects Parallels Access installations where an attacker already has some foothold on the system. The vulnerability enables complete system compromise through arbitrary code execution as root.
💻 Affected Systems
- Parallels Access Agent
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with root-level access, allowing installation of persistent backdoors, data exfiltration, lateral movement, and full control over the affected system.
Likely Case
Local privilege escalation from a low-privileged user account to root, enabling attackers to bypass security controls, access sensitive data, and maintain persistence on compromised systems.
If Mitigated
Limited impact if proper access controls prevent initial low-privileged access, or if the service is not running with elevated privileges.
🎯 Exploit Status
Exploitation requires existing low-privileged access to the system. The vulnerability involves creating symbolic links to trick the service into executing arbitrary files with elevated privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Parallels Access 6.5.4 (39316) with security update or later versions
Vendor Advisory: https://kb.parallels.com/en/129010
Restart Required: Yes
Instructions:
1. Open Parallels Access application. 2. Check for updates in the application settings. 3. Apply the latest security update. 4. Restart the system to ensure the updated service is running.
🔧 Temporary Workarounds
Disable Parallels Access Agent
allTemporarily disable the Parallels Access service until patching can be completed
sudo launchctl unload /Library/LaunchDaemons/com.parallels.mobile.agent.plist
sudo systemctl stop parallels-access-agent (Linux)
Stop the 'Parallels Access Agent' service via Services.msc (Windows)
Restrict service permissions
allLimit the Parallels service to run with minimal necessary privileges
sudo chmod 750 /Applications/Parallels\ Access.app/Contents/MacOS/ParallelsAccessAgent
Set appropriate service account with limited privileges (platform specific)
🧯 If You Can't Patch
- Remove Parallels Access Agent entirely from critical systems
- Implement strict access controls to prevent low-privileged users from accessing affected systems
- Monitor for suspicious privilege escalation attempts using endpoint detection tools
🔍 How to Verify
Check if Vulnerable:
Check Parallels Access version: On macOS: check 'About Parallels Access' in the application menu. On Windows: Check installed programs list for version 6.5.4 (39316) or earlier.Check Version:
macOS: defaults read /Applications/Parallels\ Access.app/Contents/Info.plist CFBundleShortVersionString; Windows: wmic product where name='Parallels Access' get versionVerify Fix Applied:
Verify Parallels Access is updated to a version after the security patch (check vendor advisory for exact fixed version). Confirm the service is running the updated binary.📡 Detection & Monitoring
Log Indicators:
- Unusual symbolic link creation in Parallels service directories
- Parallels Access Agent service restarting unexpectedly
- Privilege escalation attempts from low-privileged users to root
Network Indicators:
- Unusual outbound connections from Parallels Access service
- Increased authentication attempts to Parallels service
SIEM Query:
process_name='ParallelsAccessAgent' AND (event_type='process_creation' AND parent_process!='launchd' OR event_type='file_create' AND file_path LIKE '%.symlink')