Parallels Remote Application Server credentials management errors

Posted date
14/12/2021
Importance
4 - Alta
Affected Resources

Parallels Remote Application Server (Client) version 15.5 to 17.

Description

INCIBE has coordinated the publication of a vulnerability in Parallels Remote Application Server, with the internal code INCIBE-2021-0512, which has been discovered by Francisco Palma, Diego León and David Jiménez from Zerolynx.

CVE-2020-8968 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.1 has been calculated, the CVSS vector string is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N.

Solution

Parallels periodically publish the fixes and note patches in their knowledge base.

Detail

Parallels Remote Application Server (RAS) allows a local attacker to retrieve certain profile password in clear text format by uploading a previously stored cyphered file by Parallels RAS.

The confidentiality, availability and integrity of the information of the user can be compromised if an attacker is able to recover the profile password.

CWE-255: credentials management errors.

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.

Encuesta valoración

botón arriba