Hacking Parallels with CVE-2020-8871: Privilege escalation vulnerability allows access to host OS

The Zero Day Initiative malware reverse engineering specialists have released a security alert about a serious privilege escalation vulnerability in Parallels Desktop, the most popular virtual machine software for the macOS system, designed to provide high-performance virtual machine services for Apple users.

Parallels Desktop has an out-of-bounds memory vulnerability when deploying virtualized VGA devices. The threat actors can cause a virtual machine to escape by running a special program within the targeted system. By exploiting this vulnerability, malicious hackers can execute arbitrary code on the physical host and obtain control authority from the host. The flaw was tracked as CVE-2020-8871 (CVSS score has not been publicly disclosed).

Although Parallels Desktop is one of the most popular virtualization programs for the macOS system, malware reverse engineering experts mention that the vulnerability has not been sufficiently investigated, so few details are known about it, such as exploitation vectors or potential consequences.

Last November, researcher Reno Robert reported multiple errors in Parallels to the Zero Day Initiative, one of these flaws would allow a local user on the guest operating system to perform a privilege escalation to run code on the host. The vulnerability was fixed last May with the release of version 15.1.3, and was tracked as CVE-2020-8871, mentioned specialists in malware reverse engineering.

The International Institute of Cyber Security (IICS) considers this report to be of great relevance to Parallels Desktop users, favoring the analysis of security flaws in virtual machine environments. Developers say that the Common Vulnerability Scoring System (CVSS) has assigned low scores to this security flaw, experts mention that as it is a privilege escalation flaw developers should release an upgrade patch as soon as possible.

For now there is no workaround for this vulnerability, so users are advised to be alert to the release of official update patches. More details about the vulnerability could be revealed when the company decides that the risk of exploitation has been fully mitigated.

For further reports on vulnerabilities, exploits, malware variants and computer security risks you can access the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.