Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Parallels Desktop for Mac Feature Allows Guest-to-Host VM Escape

An integration feature that allows Parallels Desktop users to access Windows folders from Mac OS X operating systems can exploited for a guest-to-host virtual machine (VM) escape, a researcher has found.

An integration feature that allows Parallels Desktop users to access Windows folders from Mac OS X operating systems can exploited for a guest-to-host virtual machine (VM) escape, a researcher has found.

Russian security researcher and developer Dmitry Oleksiuk has analyzed the “Access Windows folders from Mac” feature in Parallels Desktop 10 for Mac (the latest version). The feature, which is enabled by default, allows users to navigate to their Windows folders and files from Mac OS X by mounting Windows disks to “/Volumes.” When the feature is enabled, users are also given the ability to open files from the Windows guest operating system on Mac OS X via the context menu that appears when a file is right-clicked in Windows Explorer.

The target file is opened on the host side with the privileges of the current OS X user, which, according Oleksiuk, means that the “Access Windows folders from Mac” feature “breaks a security model that you’re usually expecting from guest-host interaction.”

Parallels Desktop 10

According to the researcher, an attacker can’t leverage this to execute a shell script or an AppleScript file because the files are opened in a text editor. 

“But there’s still a lot of other evil things that attacker can do with the ability of arbitrary file opening. For example, it’s possible to write a Java .class that executes specified command and saves its output to the guest file system,” Oleksiuk explained in a blog post.

The researcher has developed a proof-of-concept (PoC) guest-to-host VM escape exploit for Parallels Desktop and demonstrated that arbitrary code execution on the host side is possible. The expert says the exploit works on all versions of Microsoft’s operating system as long as the user belongs to the “Everyone” security group in Windows. While the PoC has been written for Windows, Oleksiuk has pointed out that the issue affects Linux and OS X guest operating systems as well.

Oleksiuk says the issue he has highlighted is more of an “incomplete documentation issue,” rather than an actual vulnerability. However, other experts who have analyzed the Russian researcher’s findings believe it could be viewed as a vulnerability. 

“The blog suggests that the Parallels documentation does not state that once you enable guest file system sharing, the guest can break out from VM. So even a security-conscious user who reads docs may decide this option is benign,” said Rafal Wojtczuk, a Bromium researcher who specializes in virtualization security.

Advertisement. Scroll to continue reading.

“It is a critical issue for anyone running untrusted code in Parallels VM on Mac. Especially that the issue is present in the default config. It is easy for a malware writer to add code that checks whether malware runs in Parallels VM and if so, then reliably escape to the host,” Wojtczuk told SecurityWeek.

The easiest way for users to protect themselves against potential attacks is to disable the “Access Windows folders from Mac” option.

Parallels Virtualization Security Settings

Parallels says it plans on improving Parallels Desktop for Mac documentation to make it more clear on how to configure integration options between Windows and Mac.

“A concerned user can configure individual integration features or simply check the ‘Isolate Windows from Mac‘ option on the Security tab of a virtual machine configuration which will completely disable access to Mac from Windows side,” Parallels representatives told SecurityWeek.

Anup Ghosh, founder and CEO of Invincea, believes Oleksiuk’s report is a good example of how sharing of the host file system in the guest VM can be exploited to gain privileged access on the host.

“However, we should not be surprised by this nor blame Parallels for this. Parallels is a virtualization solution for running another operating system and its applications. It is not a security solution,” Ghosh said via email. “Rather it is designed and configured to support multiple operating systems to run concurrently on the same hardware. Virtualization should not be confused with security for this reason. Depending on virtualization software for security without securing the interaction between the guest and host will only lead to failed security expectations.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.