Critical Vulnerability in Parallels Desktop: Attackers Can Gain Root Privileges!

A serious security vulnerability has been discovered in Parallels Desktop, a popular virtualization software used to run Windows and other operating systems on Mac. The CVE-2024-34331 0-Day vulnerability allows attackers to gain root-level privileges on macOS.

What’s most concerning is that even the latest version of Parallels Desktop – 20.2.1 (55876) remains vulnerable, and proof-of-concept (PoC) exploits have already been published online.

Security researchers have demonstrated two exploitation techniques, which pose a significant threat to enterprises and individual users.

CVE-2024-34331 is linked to the repack_osx_install_app.sh script, which performs macOS installer repackaging operations with root privileges via the prl_disp_service daemon.

The vulnerability can be exploited in two primary ways:

1. Time-of-Check to Time-of-Use (TOCTOU) Attack

Attackers can replace the legitimate createinstallmedia binary with a malicious payload between the time of code signature verification and execution.

In the PoC (exploit1.sh), a fake macOS installer package is created, where /bin/ls is used as a placeholder for createinstallmedia. The attacker then swaps this binary with a malicious script during temporary directory creation.

Since the script runs with root privileges via the SUID-enabled prl_disp_service, it allows attackers to execute arbitrary commands, such as:

touch /Library/lpe

to create persistence mechanisms.

2. Bypassing Signature Verification via DYLIB Injection

Parallels Desktop verifies the createinstallmedia binary’s signature using the following command:

codesign -v -R="anchor apple"

However, this check accepts any Apple-signed binary (e.g., /bin/ls).

Attackers can use DYLIB injection or environment variable manipulation (DYLD_INSERT_LIBRARIES) to introduce malicious code while maintaining a valid Apple signature.

Previous Attempts to Patch the Vulnerability

Parallels initially attempted to address similar issues in version 19.4.1 by introducing the do_repack_manual function, which used 7z compression for installer creation.

However, researchers discovered a new path traversal vulnerability in the way it handled the CFBundleDisplayName parameter, allowing attackers to:

✔ Create symbolic links to manipulate root-owned directories
✔ Replace the 7z binary with a malicious payload
✔ Execute malicious code through Parallels’ privileged services

In version 20.2.1, Parallels reverted to the vulnerable do_repack_createinstallmedia method, making CVE-2024-34331 exploitable again.

Which Systems Are Affected?

🔴 All Intel-based Macs running Parallels Desktop 16.0.0 – 20.2.1
🟢 Apple Silicon (M1, M2, M3) devices are not affected, as they use a different virtualization framework.

What Are the Potential Risks?

If successfully exploited, attackers can:

✔ Gain root access on macOS
✔ Bypass macOS security mechanisms like TCC (Transparency, Consent, and Control)
✔ Escape the virtual machine and attack the macOS host

How to Protect Your System?

Currently, Parallels has not released an official patch, so users are strongly advised to take the following security measures:

🔹 Remove SUID permissions from Parallels services

sudo chmod -s /Applications/Parallels\ Desktop.app/Contents/MacOS/prl_disp_service

🔹 Restrict network access for Parallels Desktop
🔹 Monitor for suspicious files (e.g., /Library/lpe and other anomalies)
🔹 Consider alternative virtualization tools, such as VMware Fusion or VirtualBox, if Parallels does not release a timely patch.

CVE-2024-34331 is a critical vulnerability that poses a severe threat to Parallels Desktop users on macOS. If exploited, attackers can fully compromise a system by gaining root privileges.

⚠️ RECOMMENDATION: All Parallels Desktop users must take immediate security measures and reconsider using the software until an official patch is available.

🚨 Protect your system before attacks begin! 🚨