CVE-2022-34901 – This vulnerability allows local attackers with ... (How to Fix)

Q: What is the severity of CVE-2022-34901?

CVE-2022-34901 has a CVSS score of 7.8 (HIGH). This vulnerability allows local attackers with low-privileged code execution on affected Parallels Access Agent installations to escalate privileges to root by exploiting the Parallels Service's execution of files from an unsecured location. It affects Parallels Access 6.5.4 (39316) Agent installations. Attackers must already have local access to the system to exploit this flaw.

📋 TL;DR

This vulnerability allows local attackers with low-privileged code execution on affected Parallels Access Agent installations to escalate privileges to root by exploiting the Parallels Service's execution of files from an unsecured location. It affects Parallels Access 6.5.4 (39316) Agent installations. Attackers must already have local access to the system to exploit this flaw.

💻 Affected Systems

Products:

Parallels Access Agent

Versions: 6.5.4 (build 39316)

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Parallels Access Agent component; requires local access to exploit.

📦 What is this software?

Parallels Access by Parallels

View all CVEs affecting Parallels Access →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root-level arbitrary code execution, allowing complete control over the host system, data theft, persistence establishment, and lateral movement.

🟠

Likely Case

Local privilege escalation from a low-privileged user account to root, enabling installation of malware, data access, and system configuration changes.

🟢

If Mitigated

Limited impact if proper access controls prevent local low-privileged code execution and service hardening is implemented.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring existing local access; not directly exploitable over the internet.

🏢 Internal Only: HIGH - Once an attacker gains local access (through phishing, malware, or other means), this vulnerability enables full privilege escalation to root.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access and ability to execute low-privileged code; the vulnerability mechanism is straightforward once initial access is achieved.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Parallels Access 6.5.4 (39317) or later

Vendor Advisory: https://kb.parallels.com/en/129010

Restart Required: Yes

Instructions:

1. Update Parallels Access to version 6.5.4 (39317) or later. 2. Restart the Parallels Service. 3. Verify the update was successful.

🔧 Temporary Workarounds

Restrict Parallels Service permissions

all

Limit the Parallels Service to execute only from secure, controlled directories

# Review and modify service permissions based on your OS
# Example for Linux: chmod 750 /path/to/parallels/service
# Example for Windows: icacls "C:\Program Files\Parallels\" /deny Users:(OI)(CI)W

Implement strict access controls

all

Prevent unauthorized local users from executing code on systems with Parallels Access Agent

# Implement least privilege principles
# Use application whitelisting
# Restrict user permissions

🧯 If You Can't Patch

Remove Parallels Access Agent if not essential
Implement strict network segmentation and isolate affected systems

🔍 How to Verify

Check if Vulnerable:

Check Parallels Access Agent version: On Windows - Check Programs and Features; On macOS/Linux - Check installed version via package manager or Parallels interface.

Check Version:

# Windows: wmic product where name="Parallels Access" get version
# macOS/Linux: Check Parallels Access interface or installed packages

Verify Fix Applied:

Verify version is 6.5.4 (39317) or later and that the Parallels Service is running with updated binaries.

📡 Detection & Monitoring

Log Indicators:

Unauthorized file writes to Parallels service directories
Unexpected privilege escalation events
Parallels Service executing files from unusual locations

Network Indicators:

Not applicable - local exploitation only

SIEM Query:

Event logs showing privilege escalation from low-privileged accounts to SYSTEM/root on systems with Parallels Access

📊 Metadata

CVE ID: CVE-2022-34901

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-427

Published: July 18, 2022

Last Updated: November 21, 2024

🔗 References

https://kb.parallels.com/en/129010 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-948/ Third Party Advisory,VDB Entry
https://kb.parallels.com/en/129010 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-948/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-34901, you might also want to check these: