{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/287122#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nParsec updater for Windows was prone to a local privilege escalation vulnerability, this vulnerability allowed a local user with Parsec access to gain NT_AUTHORITY/SYSTEM privileges.\r\n\r\n### Description\r\nThe vulnerability is a time-of-check time–of-use (TOCTOU) vulnerability. There existed a small window between verifying the signature and integrity of the update DLL and the execution of DLL main. \r\n\r\nBy exploiting this race condition, a local attacker could swap out the officially signed Parsec DLL with a DLL that they created, which would subsequently be executed as the SYSTEM user as described in CVE-2023-37250.\r\n\r\n**CVE-2023-37250**\r\nThe application launches DLLs from a User owned directory. Since the user owns both the DLL file and the directory, it is possible to (successfully) attempt tricking Parsec into loading an unsigned/arbitrary DLL file and execute its DllMain() method with SYSTEM privileges, creating a Local Privilege Escalation vulnerability.\r\n\r\n### Impact\r\nBy exploiting this race condition, a local attacker could swap out the officially signed Parsec DLL with a DLL that they created, which would subsequently be executed as the SYSTEM user.\r\n\r\n### Solution\r\nThe vulnerability applies to a \"Per User\" installation as opposed to a \"Shared User\". There is an update that has been made available. To force an update, you can either completely quit, and re-open the application several times until the loader is updated (by confirming in the logs). Or you can download a special installer that only updates the files inside of the program files that can be downloaded from https://builds.parsec.app/package/parsec-update-executables.exe.\r\n\r\n### Acknowledgements\r\nThanks to the reporter, Julian Horoszkiewicz.This document was written by Timur Snoke.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/287122"},{"url":"https://atos.net/en/lp/securitydive/roaming-and-racing-to-get-system-cve-2023-37250","summary":"https://atos.net/en/lp/securitydive/roaming-and-racing-to-get-system-cve-2023-37250"},{"url":"https://support.parsec.app/hc/en-us/articles/18311425588237-CVE-2023-37250","summary":"https://support.parsec.app/hc/en-us/articles/18311425588237-CVE-2023-37250"}],"title":"Parsec Remote Desktop App is prone to a local elevation of privilege due to a logical flaw in its code integrity verification process","tracking":{"current_release_date":"2023-08-16T16:18:56+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#287122","initial_release_date":"2023-08-16 16:18:56.594233+00:00","revision_history":[{"date":"2023-08-16T16:18:56+00:00","number":"1.20230816161856.1","summary":"Released on 2023-08-16T16:18:56+00:00"}],"status":"final","version":"1.20230816161856.1"}},"vulnerabilities":[{"title":"The application launches DLLs from a User owned directory.","notes":[{"category":"summary","text":"The application launches DLLs from a User owned directory. Since the user owns both the DLL file and the directory, it is possible to (successfully) attempt tricking Parsec into loading an unsigned/arbitrary DLL file and execute its DllMain() method with SYSTEM privileges, creating a Local Privilege Escalation vulnerability."}],"cve":"CVE-2023-37250","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#287122"}],"product_status":{"known_affected":["CSAFPID-20fdf0e2-39cd-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Parsec","product":{"name":"Parsec Products","product_id":"CSAFPID-20fdf0e2-39cd-11f1-8422-122e2785dc9f"}}]}}