A critical 0-day vulnerability in Parallels Desktop virtualization software has been publicly disclosed, enabling local attackers to escalate privileges to root-level access on macOS systems.
All versions of Parallels Desktop, including the most recent 20.2.1 (55876), are vulnerable to the flaw identified as CVE-2024-34331, which results from insufficient security controls in the application’s macOS installer repackaging subsystem.
Security researcher Mickey Jin (@patch1t) released proof-of-concept (PoC) exploits demonstrating two distinct bypass methods for CVE-2024-34331, a previously patched privilege escalation flaw.
Parallels Desktop 0-Day Vulnerability
The vulnerability resides in Parallels Desktop’s repack_osx_install_app.sh script, which handles macOS installer repackaging operations with root privileges via the prl_disp_service daemon.
The original CVE-2024-34331 patch introduced Apple code signature verification for the createinstallmedia binary using the codesign -v -R=”anchor apple” command.
However, researchers identified two critical bypass mechanisms:
Time-of-Check to Time-of-Use (TOCTOU) Exploitation:
Attackers can replace the legitimate createinstallmedia binary with a malicious payload during the narrow window between signature verification and execution.
Jin’s first PoC (exploit1.sh) demonstrates this by creating a fake macOS installer bundle with /bin/ls masquerading as createinstallmedia, and triggering Parallels’ repackaging workflow.
Further, swapping the binary with a payload script during temporary directory creation,
The payload executes with root privileges via the SUID-enabled prl_disp_service, enabling commands like touch /Library/lpe to create persistence mechanisms.
Weak Signature Enforcement via DYLIB Injection
The “anchor apple” requirement allows any Apple-signed binary (e.g., /bin/ls) to pass verification.
Attackers can inject malicious dynamic libraries (DYLIBs) into these binaries using environment variable manipulation or DYLD_INSERT_LIBRARIES techniques.
This bypass leverages macOS’s code signing design to subvert Parallels’ security checks while maintaining legitimate Apple signatures.
Evolution of Exploit Techniques
Parallels attempted to mitigate these issues in version 19.4.1 by switching to a do_repack_manual function that uses 7z compression for installer creation.
However, Jin identified a path traversal vulnerability in the function’s handling of the CFBundleDisplayName parameter.
By setting this value to ../../../../../../tmp/lnk/result, attackers could:
- Create symbolic links redirecting root-owned directories
- Replace the 7z binary with a malicious payload during temporary file operations
- Trigger execution via Parallels’ privileged services.
The vendor later reverted to the vulnerable do_repack_createinstallmedia method in version 20.2.1, reactivating the original exploit vectors.
A video demonstration shows successful privilege escalation on updated systems.
Impact and Mitigation
All Intel-based macOS systems running Parallels Desktop 16.0.0 through 20.2.1 are vulnerable.
Apple Silicon devices remain unaffected due to differences in virtualization frameworks. Successful exploitation enables:
- Persistent root access via arbitrary file creation
- Bypass of macOS Transparency, Consent, and Control (TCC) protections
- Virtual machine escape in multi-user environments
Mitigation requires immediate removal of SUID permissions from Parallels tools, network segmentation of Parallels Desktop systems and monitoring for unauthorized /Library/lpe file creation.
This 0-day disclosure highlights critical failures in Parallels’ vulnerability management processes and third-party coordination through ZDI. With working PoCs available, organizations must assume active exploitation is imminent.
Until Parallels releases an official patch, system administrators should weigh the operational necessity of Parallels Desktop against potential security risks in enterprise environments.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here