The Remote Application Server in Parallels RAS before 19.2.23975 does not segment virtualized applications from the server, which allows a remote attacker to achieve remote code execution via standard kiosk breakout techniques.
The error consists of a lack of proper segmentation (isolation) of virtualized applications from the host server environment. An attacker without any authentication, acting remotely over the network, can apply techniques known as kiosk breakout — escape methods known from restricted kiosk/terminal environments — to break out of the virtualized application context and gain access to the underlying system. As a result, arbitrary commands can be executed on the server (RCE).
An attacker can take full control of the server, gaining the ability to read and modify data, install malicious software, and further spread within the organization's infrastructure (lateral movement).
Parallels Remote Application Server must be immediately updated to version 19.2.23975 or later. Details are available in the vendor's references and in the researchers' report at the address indicated in the CVE references section.
Parallels Remote Application Server (RAS) in all versions prior to 19.2.23975
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HParallels Remote Application Server
APPParallels< 19.2.23975
Related vulnerabilities
Parallels Remote Application Server (RAS) 17.1.1 has a Business Logic Error causing remote code execution. It ...
Parallels Desktop Technical Data Reporter Link Following Local Privilege Escalation Vulnerability. This vulne...
The Web Client of Parallels Remote Application Server v18.0 is vulnerable to Host Header Injection attacks. Th...
Parallels Remote Application Server (RAS) allows a local attacker to retrieve certain profile password in clea...
In the web interface of Parallels Remote Application Server (RAS) 15.5 Build 16140, a vulnerability exists due...