Headline
CVE-2022-34892: KB Parallels: Parallels Desktop Security Updates
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop Parallels Desktop 17.1.1. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the update machanism. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-16396.
Like any software development company, Parallels does not disclose, confirm or discuss security vulnerabilities until they are fixed, and the fix has been released to the public.
If you believe you have found a security issue in Parallels Desktop, visit KB 125214.
Get the latest Parallels Desktop update
To maintain your Parallels Desktop product’s security, we recommend installing all available product updates. To learn how to check for updates, visit KB 111603.
Importance of installing macOS security updates
Parallels Desktop takes the best of both worlds—Mac and Windows—to provide users with the best experience in both operating systems, including your security. To keep your virtual machine (VM) safe, after installing the latest Parallels Desktop build we also strongly recommend installing all macOS security updates. Parallels Desktop depends on the security of macOS, as it runs on a Mac under control from macOS. For your convenience, you can even automate macOS updates or perform them manually.
Importance of installing Windows security updates
After installing the latest Parallels Desktop build and all macOS security updates take care of the last part, your virtual machine. Because Parallels Desktop precisely emulates Windows, the safety of your Windows VM is dependent on the safety of Windows itself. To keep Windows safe, install all Windows updates including security fixes. Check this article to learn how to update.
Parallels Desktop for Mac App Store Edition security updates
As any application installed from App Store, Parallels Desktop for Mac App Store Edition runs in a sandbox environment where all access to your data is limited. Furthermore, the App Store edition uses Apple hypervisor to run virtual machines, thus relying on the overall security of macOS. The safety of your VM while using the App Store edition depends solely on the security of macOS and Windows. As recommended above, install all security updates for macOS (including any related to the App Store application) and Windows to keep your VM safe.
Parallels Desktop security updates
The table below lists security vulnerabilities and a corresponding product version that includes the fix.
Name or ID
Fixed in version
Release date
ZDI-CAN-16653
17.1.3 (51565)
May 26, 2022
ZDI-CAN-16396
ZDI-CAN-16554
ZDI-CAN-16395
ZDI-CAN-14969
17.1.0 (51516)
October 14, 2021
ZDI-CAN-13932
ZDI-CAN-13246
17.0.1 (51482)
September 7, 2021
ZDI-CAN-13797
17.0.0 (51461)
August 10, 2021
ZDI-CAN-13712
ZDI-CAN-13672
ZDI-CAN-13601
16.5.1 (49187)
July 8, 2021
ZDI-CAN-13592
ZDI-CAN-13581
ZDI-CAN-13544
ZDI-CAN-13543
KB 125544
July 27, 2021
ZDI-CAN-13190
16.5.0 (49183)
April 14, 2021
ZDI-CAN-13189
ZDI-CAN-13188
ZDI-CAN-13187
ZDI-CAN-13186
ZDI-CAN-13082
ZDI-CAN-12848
ZDI-CAN-12791
ZDI-CAN-12790
ZDI-CAN-12528
ZDI-CAN-12527
ZDI-CAN-12220
ZDI-CAN-12130
ZDI-CAN-12129
ZDI-CAN-12136
16.1.2 (49151)
December 23, 2020
ZDI-CAN-12131
ZDI-CAN-12221
ZDI-CAN-12068
16.1.0 (48950)
October 22, 2020
ZDI-CAN-12021
ZDI-CAN-11926
ZDI-CAN-11925
ZDI-CAN-11924
ZDI-CAN-10519
16.0.0 (48916)
August 11, 2020
ZDI-CAN-10518
ZDI-CAN-11363
ZDI-CAN-11304
ZDI-CAN-11303
ZDI-CAN-11302
ZDI-CAN-11253
ZDI-CAN-11217
ZDI-CAN-11134
ZDI-CAN-11132
ZDI-CAN-11063
ZDI-CAN-10520
15.1.4 (47270)
April 21, 2020
ZDI-CAN-10030
ZDI-CAN-10032
15.1.3 (47255)
March 10, 2020
ZDI-CAN-10031
ZDI-CAN-10028
ZDI-CAN-10029
ZDI-CAN-9403
ZDI-CAN-9428
ZDI-CAN-8685
15.1.1 (47117)
October 31, 2019
Related news
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.