Home / Early Warning / Security Advisories / Parallels Remote Application Server credentials management errors

Parallels Remote Application Server credentials management errors

Publication date: 
12/14/2021
Importance: 
4 - Alta
Affected resources: 

Parallels Remote Application Server (Client) version 15.5 to 17.

Description: 

INCIBE has coordinated the publication of a vulnerability in Parallels Remote Application Server, with the internal code INCIBE-2021-0512, which has been discovered by Francisco Palma, Diego León and David Jiménez from Zerolynx.

CVE-2020-8968 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been calculated, the CVSS vector string is AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L.

Solution: 

Parallels periodically publish the fixes and note patches in their knowledge base.

Detail: 

Parallels Remote Application Server (RAS) allows a local attacker to retrieve certain profile password in clear text format by uploading a previously stored cyphered file by Parallels RAS.

The confidentiality, availability and integrity of the information of the user can be compromised if an attacker is able to recover the profile password.

CWE-255: credentials management errors.

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.

Encuesta valoración