Parallels Remote Application Server (RAS) has a Business Logic Error causing remote code execution. This may allow an authenticated user to tamper with requests between Parallels Clients and backend servers resulting in unintended access to any server in the Parallels RAS Farm or other servers in the same internal domain. In addition, authenticated user may be able to launch and execute applications not made available via Parallels RAS filtering in the environment.
CVE-2020-15860 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15860
A fix for CVE-2020-158606 is available in Remote Application Server v188.8.131.52-21873. This security patch requires both a Server and Client upgrade.
Once the RAS Farm is upgraded, when opening the Console one will be prompted to "Allow only clients with the latest security patches" to connect.
Clicking on "Yes" will automatically enable this option. This means that Client without the latest Parallels security patches would not be able to connect
This option can also be enabled at a later stage. This can be done as follows:
1. Farm > Connection > Allowed Devices.
2. Enable "Allow only clients with the latest security patches" option
Important Note: If the "Allow only clients with the latest security patches" is enabled, only Parallels Clients showing Security patch version 1, which is the latest security patch are able to connect. This can be confirmed from the Parallels Client > Help> About.
The upgrade to version Remote Application Server v184.108.40.206-21873 should be done in the following order.
Step 1: Upgrade Parallels Client - The latest version of the Parallels Client can be downloaded from here: https://www.parallels.com/products/ras/download/client/
Step 2: Upgrade Parallels Tenant Broker (TB) (In Case of Multi Tenancy) - A regular Remote Application Server (RAS) installer should be launched the installation wizard will guide you through the upgrade.
Step 3: Upgrade Farm: To upgrade the Remote Application Server Farm, one should follow instructions here: https://kb.parallels.com/en/124573