CVE-2023-37250: 
NixOS vulnerability analysis and mitigation

Unity Parsec contains a Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability identified as CVE-2023-37250. The vulnerability affects Parsec Loader versions through 8 and allows local attackers to escalate privileges to SYSTEM if Parsec was installed in "Per User" mode. The issue stems from the application launching DLLs from a user-owned directory while attempting to perform integrity verification of those DLLs (CERT Advisory, NVD).

The vulnerability is a TOCTOU race condition that exists between the time of verifying the signature and integrity of the update DLL and the execution of DLL main. The application launches DLLs from a user-owned directory, and since the user owns both the DLL file and the directory, it becomes possible to trick Parsec into loading an unsigned/arbitrary DLL file and execute its DllMain() method with SYSTEM privileges. The vulnerability has been assigned a CVSS v3.1 base score of 7.0 (HIGH) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD, CERT Advisory).

By exploiting this race condition, a local attacker could swap out the officially signed Parsec DLL with a DLL they created, which would subsequently be executed as the SYSTEM user. This allows for local privilege escalation to the highest system privileges (CERT Advisory).

The vulnerability has been fixed in Parsec Loader version 9. Users can force an update by either completely quitting and re-opening the application several times until the loader is updated (confirming in the logs), or by downloading a special installer that updates the files inside of the program files from https://builds.parsec.app/package/parsec-update-executables.exe (CERT Advisory).