Context
https://khronokernel.com/macos/2024/05/30/CVE-2024-34331.html
Roughly a year ago, software developer and security researcher Mykola Grymalyuk released a blog post detailing CVE-2024-34331 — a root privilege escalation exploit resulting from a lack of code signature verification in part of the media creation process.
This exploit — which notably only affected Intel (x86_64) hosts — was eventually “patched.”
0-day details
https://jhftss.github.io/Parallels-0-day/
Independent security researcher Mickey Jin has disclosed a 0-day vulnerability that bypasses the patch for the aforementioned CVE-2024-34331. The reason this is a public disclosure is due to Parallels leaving this vulnerability unaddressed for over seven months.
As Mickey details, there are at least two different ways to bypass Parallel’s code signature verification of createinstallmedia:
- Bypass via a TOCTOU attack: After passing the signature verification, and before it spawns the tool, an attacker has enough time to replace the tool
createinstallmediawith a malicious one!- The requirement string “anchor apple” for the signature verification is too weak! An attacker can find an Apple-signed executable binary (e.g., the system command
ls), and then inject a malicious DYLIB into the Apple’s binary to bypass the signature verification directly! I have talked about this trick in my previous blog.
Exploit 1, as detailed by Mickey, works on the latest version of Paralles Desktop 20.2.1 (55876).
Parallels security concerns
In light of the initial CVE and this 0-day bypass, Parallels’ security has been brought into question.
Parallels responsible disclosure process makes it difficult for security researchers to submit potential vulnerabilities, requiring a valid license or proof of purchase. Additionally, Parallels offers no bug bounty compensation, disincentivizing responsible disclosure.
As for Parallels “playing deaf and dumb” with this 0-day, the company claims there were accidental internal communication issues.