Remote Application Server Vulnerability - CVE-2020-15860

119 users found this article helpful

Severity

Medium

Description

Parallels Remote Application Server (RAS) has a Business Logic Error causing remote code execution. This may allow an authenticated user to tamper with requests between Parallels Clients and backend servers resulting  in unintended access to any server in the Parallels RAS Farm or other servers in the same internal domain. In addition, authenticated user may be able to launch and execute applications not made available via Parallels RAS filtering in the environment.

Reference

CVE-2020-15860 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15860

 

Solution

A fix for CVE-2020-158606 is available in Remote Application Server v17.1.2.1-21873. This security patch requires both a Server and Client upgrade. 

Once the RAS Farm is upgraded, when opening the Console one will be prompted to "Allow only clients with the latest security patches" to connect. 

UpgradeClient

Clicking on "Yes" will automatically enable this option. This means that Client without the latest Parallels security patches would not be able to connect

This option can also be enabled at a later stage. This can be done as follows:

1.  Farm > Connection > Allowed Devices.

2.  Enable "Allow only clients with the latest security patches" option

 

Allow only clients with latest security patches

 

Important Note: If the "Allow only clients with the latest security patches" is enabled, only Parallels Clients showing Security patch version 1, which is the latest security patch are able to connect. This can be confirmed from the Parallels Client > Help> About.

ClientAbout

 

Upgrade Instructions

The upgrade to version Remote Application Server v17.1.2.1-21873 should be done in the following order. 

Step 1: Upgrade Parallels Client - The latest version of the Parallels Client can be downloaded from here: https://www.parallels.com/products/ras/download/client/

Step 2: Upgrade Parallels Tenant Broker (TB) (In Case of Multi Tenancy) - A regular Remote Application Server (RAS) installer should be launched the installation wizard will guide you through the upgrade. 

Step 3: Upgrade Farm: To upgrade the Remote Application Server Farm, one should follow instructions here: https://kb.parallels.com/en/124573

 

 

Was this article helpful?

Tell us how we can improve it.