CVE-2024-6153 is a vulnerability classified under CWE-693 (Protection Mechanism Failure) affecting Parallels Desktop version 18.1.0 (53311). The flaw resides in the Updater service, which fails to properly validate version information before applying updates. This allows a local attacker who already has the ability to execute low-privileged code on the host system to perform a software downgrade attack. By downgrading the software to an earlier, potentially vulnerable version, the attacker can leverage additional vulnerabilities present in older versions to escalate privileges to root and execute arbitrary code with full system privileges. The vulnerability does not require user interaction but does require prior low-privilege code execution, which could be achieved through other means such as local access or exploitation of other vulnerabilities. The CVSS v3.0 score of 7.8 reflects high severity, with high impact on confidentiality, integrity, and availability, and low attack complexity. Although no known exploits have been reported in the wild, the vulnerability represents a significant risk, especially in environments where multiple users have local access or where attackers can gain initial footholds with limited privileges. The lack of proper version validation in the update mechanism undermines the security model of Parallels Desktop, making it possible to bypass update protections and reintroduce older vulnerabilities. This vulnerability was assigned by the Zero Day Initiative (ZDI) as ZDI-CAN-19481 and publicly disclosed on June 20, 2024. No patches have been linked yet, so mitigation currently relies on limiting local access and monitoring for suspicious activity.

The impact of CVE-2024-6153 is significant for organizations using Parallels Desktop 18.1.0, particularly in environments where multiple users have local access or where attackers can gain initial low-privilege code execution. Successful exploitation allows attackers to downgrade the software to older versions, potentially re-enabling previously patched vulnerabilities. This can lead to privilege escalation to root, enabling full control over the host system. The compromise of confidentiality, integrity, and availability is high, as attackers can execute arbitrary code with root privileges, potentially leading to data theft, system manipulation, and denial of service. The vulnerability could be chained with other exploits to achieve remote code execution or persistent compromise. Organizations relying on Parallels Desktop for virtualization, development, or testing may face operational disruptions and increased risk of lateral movement within their networks. The absence of known exploits in the wild currently reduces immediate risk, but the ease of exploitation once local code execution is obtained makes this a critical concern for endpoint security teams.

1. Restrict local user access: Limit the number of users with local access to systems running Parallels Desktop to reduce the risk of initial low-privilege code execution. 2. Monitor and audit local activity: Implement robust monitoring to detect unusual update behaviors or attempts to downgrade software versions. 3. Apply principle of least privilege: Ensure users and processes have only the minimum privileges necessary to reduce the attack surface. 4. Use application whitelisting: Prevent unauthorized execution of downgraded or unauthorized Parallels Desktop binaries. 5. Network segmentation: Isolate systems running Parallels Desktop to limit lateral movement if compromised. 6. Stay updated: Monitor Parallels’ security advisories closely and apply patches promptly once released. 7. Employ endpoint detection and response (EDR) tools: Use advanced threat detection to identify exploitation attempts targeting the updater service. 8. Harden update mechanisms: Where possible, verify update integrity manually or through additional security controls until an official patch is available. 9. Educate users: Train users about the risks of executing untrusted code locally and the importance of reporting suspicious behavior. These steps go beyond generic advice by focusing on controlling local access, monitoring update processes, and preparing for patch deployment.