CVE-2024-6154 – This is a heap-based buffer overflow vulnerabil... (How to Fix)

Q: What is the severity of CVE-2024-6154?

CVE-2024-6154 has a CVSS score of 6.7 (MEDIUM). This is a heap-based buffer overflow vulnerability in Parallels Desktop's Toolgate component that allows local attackers to escalate privileges. Attackers who already have high-privileged code execution on a guest VM can exploit this to execute arbitrary code on the host system. Only Parallels Desktop installations with vulnerable versions are affected.

📋 TL;DR

This is a heap-based buffer overflow vulnerability in Parallels Desktop's Toolgate component that allows local attackers to escalate privileges. Attackers who already have high-privileged code execution on a guest VM can exploit this to execute arbitrary code on the host system. Only Parallels Desktop installations with vulnerable versions are affected.

💻 Affected Systems

Products:

Parallels Desktop

Versions: Specific vulnerable versions not specified in CVE description, but likely recent versions prior to patch

Operating Systems: macOS (host system)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Parallels Desktop with Toolgate component enabled and attacker with high-privileged access to guest VM.

📦 What is this software?

Parallels Desktop by Parallels

View all CVEs affecting Parallels Desktop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full host system compromise with attacker gaining root/administrator privileges, allowing complete control over the host operating system and all VMs.

🟠

Likely Case

Local privilege escalation from guest VM to host system, enabling attackers to install malware, steal data, or pivot to other systems on the network.

🟢

If Mitigated

No impact if proper patch is applied or vulnerable component is disabled/isolated.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring initial access to a guest VM.

🏢 Internal Only: HIGH - Once an attacker gains access to a guest VM (through phishing, malware, etc.), they can exploit this to compromise the host system and potentially other internal resources.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires attacker to first obtain high-privileged code execution on guest VM. The buffer overflow itself is likely straightforward once initial access is achieved.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in CVE, check Parallels Desktop updates

Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-24-804/

Restart Required: Yes

Instructions:

1. Open Parallels Desktop. 2. Go to Help → Check for Updates. 3. Install any available updates. 4. Restart Parallels Desktop and affected VMs.

🔧 Temporary Workarounds

Disable Toolgate component

all

Disable the vulnerable Toolgate component if not required for your use case

Isolate guest VMs

all

Ensure guest VMs are properly isolated and don't have unnecessary privileges or network access

🧯 If You Can't Patch

Restrict access to guest VMs to trusted users only
Implement strict monitoring for suspicious activity on guest VMs and host system

🔍 How to Verify

Check if Vulnerable:

Check Parallels Desktop version and compare against patched versions in vendor advisory

Check Version:

In Parallels Desktop: Help → About Parallels Desktop

Verify Fix Applied:

Verify Parallels Desktop is updated to latest version and no security updates are pending

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from Parallels Desktop components
Suspicious memory allocation patterns in Parallels processes
Unexpected privilege escalation events

Network Indicators:

Unusual network traffic from guest VM to host system components

SIEM Query:

Process creation where parent process contains 'prl' and child process has elevated privileges

📊 Metadata

CVE ID: CVE-2024-6154

CVSS v3 Score: 6.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-122

Published: June 20, 2024

Last Updated: November 21, 2024

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-24-804/ Third Party Advisory,VDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-24-804/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6154, you might also want to check these: