Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Parallels Desktop for Mac Feature Allows Guest-to-Host VM Escape

An integration feature that allows Parallels Desktop users to access Windows folders from Mac OS X operating systems can exploited for a guest-to-host virtual machine (VM) escape, a researcher has found.

An integration feature that allows Parallels Desktop users to access Windows folders from Mac OS X operating systems can exploited for a guest-to-host virtual machine (VM) escape, a researcher has found.

Russian security researcher and developer Dmitry Oleksiuk has analyzed the “Access Windows folders from Mac” feature in Parallels Desktop 10 for Mac (the latest version). The feature, which is enabled by default, allows users to navigate to their Windows folders and files from Mac OS X by mounting Windows disks to “/Volumes.” When the feature is enabled, users are also given the ability to open files from the Windows guest operating system on Mac OS X via the context menu that appears when a file is right-clicked in Windows Explorer.

The target file is opened on the host side with the privileges of the current OS X user, which, according Oleksiuk, means that the “Access Windows folders from Mac” feature “breaks a security model that you’re usually expecting from guest-host interaction.”

Parallels Desktop 10

According to the researcher, an attacker can’t leverage this to execute a shell script or an AppleScript file because the files are opened in a text editor. 

“But there’s still a lot of other evil things that attacker can do with the ability of arbitrary file opening. For example, it’s possible to write a Java .class that executes specified command and saves its output to the guest file system,” Oleksiuk explained in a blog post.

The researcher has developed a proof-of-concept (PoC) guest-to-host VM escape exploit for Parallels Desktop and demonstrated that arbitrary code execution on the host side is possible. The expert says the exploit works on all versions of Microsoft’s operating system as long as the user belongs to the “Everyone” security group in Windows. While the PoC has been written for Windows, Oleksiuk has pointed out that the issue affects Linux and OS X guest operating systems as well.

Oleksiuk says the issue he has highlighted is more of an “incomplete documentation issue,” rather than an actual vulnerability. However, other experts who have analyzed the Russian researcher’s findings believe it could be viewed as a vulnerability. 

“The blog suggests that the Parallels documentation does not state that once you enable guest file system sharing, the guest can break out from VM. So even a security-conscious user who reads docs may decide this option is benign,” said Rafal Wojtczuk, a Bromium researcher who specializes in virtualization security.

Advertisement. Scroll to continue reading.

“It is a critical issue for anyone running untrusted code in Parallels VM on Mac. Especially that the issue is present in the default config. It is easy for a malware writer to add code that checks whether malware runs in Parallels VM and if so, then reliably escape to the host,” Wojtczuk told SecurityWeek.

The easiest way for users to protect themselves against potential attacks is to disable the “Access Windows folders from Mac” option.

Parallels Virtualization Security Settings

Parallels says it plans on improving Parallels Desktop for Mac documentation to make it more clear on how to configure integration options between Windows and Mac.

“A concerned user can configure individual integration features or simply check the ‘Isolate Windows from Mac‘ option on the Security tab of a virtual machine configuration which will completely disable access to Mac from Windows side,” Parallels representatives told SecurityWeek.

Anup Ghosh, founder and CEO of Invincea, believes Oleksiuk’s report is a good example of how sharing of the host file system in the guest VM can be exploited to gain privileged access on the host.

“However, we should not be surprised by this nor blame Parallels for this. Parallels is a virtualization solution for running another operating system and its applications. It is not a security solution,” Ghosh said via email. “Rather it is designed and configured to support multiple operating systems to run concurrently on the same hardware. Virtualization should not be confused with security for this reason. Depending on virtualization software for security without securing the interaction between the guest and host will only lead to failed security expectations.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...