Parsec Security Advisory
Date Reported
5/10/2023
Affected Packages
Versions of Parsec Loader <= 8
Security database references
VU#287122
Summary
Parsec updater for Windows was prone to a local privilege escalation vulnerability, a fix has been deployed. Customers can verify that this fix is running by checking the logs on clients and/or hosts for "Loader: 9". Logs are accessible on individual machines by clicking the Help Button (indicated as an “?” icon) and selecting “log file.”
Example:
Log: Parsec release[release 20] (150-88d, Service: 7, Loader: 9)
More information
Security researcher Julian Horoszkiewicz reported a local privilege escalation vulnerability impacting Parsec for Windows. When exploited, this vulnerability allowed a local user with Parsec access to gain NT_AUTHORITY/SYSTEM privileges.
The vulnerability is a time-of-check time–of-use (TOCTOU) vulnerability. There existed a small window between verifying the signature and integrity of the update DLL and the execution of DLL main.
By exploiting this race condition, a local attacker could swap out the officially signed Parsec DLL with a DLL that they created, which would subsequently be executed as the SYSTEM user.
To the best knowledge of Mr. Horoszkiewicz and the Parsec/Unity team, it is not possible to exploit this TOCTOU vulnerability when Parsec has been installed as a Shared User. The exploit is only possible if Parsec has been installed as Per User, and if the ProgramData folder location has not been altered to use a nested folder,e.g. C:\some\other\folder\ProgramData\Parsec. Default Shared User locations used by the Parsec installer should not be affected.
To force an update, you can either completely quit, and re-open the application several times until the loader is updated (by confirming in the logs). Or you can download a special installer that only updates the files inside of the program files that can be downloaded from https://builds.parsec.app/package/parsec-update-executables.exe.
Timeline
- Parsec was made aware of a vulnerability report via CERT CSIRT on May 23, 2023
- Parsec created an incident room and issue, to track the report and begin triage on May 23, 2023
- Parsec began the account verification process, which was completed on May 31, 2023
- Mr. Horoszkiewicz provided a comprehensive analysis and proof of concept script to help reproduce the issue in the Parsec QA labs
- Parsec contacted Mr. Horoszkiewicz with a QA build that contained the proposed fix, which Mr Horoszkiewicz verified with additional information on June 5, 2023
- Parsec released the fix, which automatically was applied to vulnerable systems between June 7-9, 2023. Parsec plans to follow up in a future build with additional improvements to completely remove this privilege separation.
- Parsec released this advisory on August 7, 2023
References
https://atos.net/en/lp/securitydive/roaming-and-racing-to-get-system-cve-2023-37250