Headline
CVE-2020-8968: Parallels Remote Application Server credentials management errors
Parallels Remote Application Server (RAS) allows a local attacker to retrieve certain profile password in clear text format by uploading a previously stored cyphered file by Parallels RAS. The confidentiality, availability and integrity of the information of the user could be compromised if an attacker is able to recover the profile password.
Affected Resources
Parallels Remote Application Server (Client) version 15.5 to 17.
Description
INCIBE has coordinated the publication of a vulnerability in Parallels Remote Application Server, with the internal code INCIBE-2021-0512, which has been discovered by Francisco Palma, Diego León and David Jiménez from Zerolynx.
CVE-2020-8968 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.1 has been calculated, the CVSS vector string is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N.
Solution
Parallels periodically publish the fixes and note patches in their knowledge base.
Detail
Parallels Remote Application Server (RAS) allows a local attacker to retrieve certain profile password in clear text format by uploading a previously stored cyphered file by Parallels RAS.
The confidentiality, availability and integrity of the information of the user can be compromised if an attacker is able to recover the profile password.
CWE-255: credentials management errors.
If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.
Related news
Parallels Remote Application Server (RAS) allows a local attacker to retrieve certain profile password in clear text format by uploading a previously stored cyphered file by Parallels RAS. The confidentiality, availability and integrity of the information of the user could be compromised if an attacker is able to recover the profile password.