> [Description] > Parallels 13 uses cleartext HTTP as part of the update process, allowing man-in-the-middle attacks. > a local attacker can manipulate the connections and perform the attack to gain higher privileges on the system > Users of out-of-date versions are presented with a pop-up window for > a parallels_updates.xml file on the http://update.parallels.com web site. > > ------------------------------------------ > > [Additional Information] > Remote attack to trick the user of installing the malicious > application instead of the original one, without verifying which > application being downloaded, and putting links and texts of the > attacker choice to trick the user of downloading not related material > > ------------------------------------------ > > [VulnerabilityType Other] > MITM attack - Local > > ------------------------------------------ > > [Vendor of Product] > parallels > > ------------------------------------------ > > [Affected Product Code Base] > parallels - parallels 13 > > ------------------------------------------ > > [Affected Component] > Update Popup > > ------------------------------------------ > > [Attack Type] > Remote > > ------------------------------------------ > > [Impact Code execution] > true > > ------------------------------------------ > > [CVE Impact Other] > Download any sort of application without checking for the application authenticity > > ------------------------------------------ > > [Attack Vectors] > once the updated popup run (its normally run if the application is not > updated) an HTTP request will be made to > "http://update.parallels.com/desktop/v13/parallels/parallels_updates.xml" > will have the information to install the new updates, the attacker can > change the path for the downloaded updates to malicious ones, and put > malicious HTML command to execute > > ------------------------------------------ > > [Reference] > https://parallels.com > > ------------------------------------------ > > [Discoverer] > Ahmed Mohamed Almorabea Use CVE-2020-7213.