Hi Parallels Team, we updated our RAS environment to v17.1.2.1-21873 to prevent CVE-2020-15860. In your KB article https://kb.parallels.com/en/125112 you write that the Parallels Client must also be on the latest version in order to completely prevent the security problem. Unfortunately, there are several customers who are still using older OS versions that the newer Parallels Client is not compatible with. In addition, not all users have administrator rights for the update or thin clients with write filters are in use. We understand that it is safest to always use the latest version. For our customers, however, given the number of clients, this involves much more effort than just installing an update. So my question to you: Is the RAS infrastructure still vulnerable to CVE-2020-15860 without using the latest version of the Parallels Client and how high is the risk if you allow older Parallels Client versions? I assume that the protocol was adapted to protect the components equally. This is good in my opinion, but takes a lot of flexibility from the software. Best regards Patrick
Dear Patrick, To use the security patch advantage you must have both side (client and server) of communication at the same security level. Client and server negotiate connection security level therefore if the client has lower level and you don't force the option on the server side the connection is established using the client security level (=not safe).
Hi Patrick, I should start with a fact that having the update installed on a server eliminates a threat from the main attack vector - HTML5 Client. On top of it even if the CVE states that it is possible to launch any app on any server that is not really so simple. All remote desktop permissions are still respected and a user who is logging in with a potentially hacked client (existence of which is not known to us) must be at least a member of remote desktop users in order to connect to an anuthorised server. Regards, Eugene
