Security Experts:

Connect with us

Hi, what are you looking for?


Cloud Security

Parallels Desktop for Mac Feature Allows Guest-to-Host VM Escape

An integration feature that allows Parallels Desktop users to access Windows folders from Mac OS X operating systems can exploited for a guest-to-host virtual machine (VM) escape, a researcher has found.

An integration feature that allows Parallels Desktop users to access Windows folders from Mac OS X operating systems can exploited for a guest-to-host virtual machine (VM) escape, a researcher has found.

Russian security researcher and developer Dmitry Oleksiuk has analyzed the “Access Windows folders from Mac” feature in Parallels Desktop 10 for Mac (the latest version). The feature, which is enabled by default, allows users to navigate to their Windows folders and files from Mac OS X by mounting Windows disks to “/Volumes.” When the feature is enabled, users are also given the ability to open files from the Windows guest operating system on Mac OS X via the context menu that appears when a file is right-clicked in Windows Explorer.

The target file is opened on the host side with the privileges of the current OS X user, which, according Oleksiuk, means that the “Access Windows folders from Mac” feature “breaks a security model that you’re usually expecting from guest-host interaction.”

Parallels Desktop 10

According to the researcher, an attacker can’t leverage this to execute a shell script or an AppleScript file because the files are opened in a text editor. 

“But there’s still a lot of other evil things that attacker can do with the ability of arbitrary file opening. For example, it’s possible to write a Java .class that executes specified command and saves its output to the guest file system,” Oleksiuk explained in a blog post.

The researcher has developed a proof-of-concept (PoC) guest-to-host VM escape exploit for Parallels Desktop and demonstrated that arbitrary code execution on the host side is possible. The expert says the exploit works on all versions of Microsoft’s operating system as long as the user belongs to the “Everyone” security group in Windows. While the PoC has been written for Windows, Oleksiuk has pointed out that the issue affects Linux and OS X guest operating systems as well.

Oleksiuk says the issue he has highlighted is more of an “incomplete documentation issue,” rather than an actual vulnerability. However, other experts who have analyzed the Russian researcher’s findings believe it could be viewed as a vulnerability. 

“The blog suggests that the Parallels documentation does not state that once you enable guest file system sharing, the guest can break out from VM. So even a security-conscious user who reads docs may decide this option is benign,” said Rafal Wojtczuk, a Bromium researcher who specializes in virtualization security.

“It is a critical issue for anyone running untrusted code in Parallels VM on Mac. Especially that the issue is present in the default config. It is easy for a malware writer to add code that checks whether malware runs in Parallels VM and if so, then reliably escape to the host,” Wojtczuk told SecurityWeek.

The easiest way for users to protect themselves against potential attacks is to disable the “Access Windows folders from Mac” option.

Parallels Virtualization Security Settings

Parallels says it plans on improving Parallels Desktop for Mac documentation to make it more clear on how to configure integration options between Windows and Mac.

“A concerned user can configure individual integration features or simply check the ‘Isolate Windows from Mac‘ option on the Security tab of a virtual machine configuration which will completely disable access to Mac from Windows side,” Parallels representatives told SecurityWeek.

Anup Ghosh, founder and CEO of Invincea, believes Oleksiuk’s report is a good example of how sharing of the host file system in the guest VM can be exploited to gain privileged access on the host.

“However, we should not be surprised by this nor blame Parallels for this. Parallels is a virtualization solution for running another operating system and its applications. It is not a security solution,” Ghosh said via email. “Rather it is designed and configured to support multiple operating systems to run concurrently on the same hardware. Virtualization should not be confused with security for this reason. Depending on virtualization software for security without securing the interaction between the guest and host will only lead to failed security expectations.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Orca Security published details on four server-side request forgery (SSRF) vulnerabilities impacting different Azure services.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cloud Security

Cloud Disaster Recovery - Ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility

Application Security

Google’s Threat Analysis Group (TAG) has shared technical details on an Internet Explorer zero-day vulnerability exploited in attacks by North Korean hacking group APT37.