VMware has issued a security advisory regarding critical and high severity vulnerabilities in the VMware Enhanced Authentication Plug-in (EAP).
Description
The EAP plugin [3], a deprecated browser plugin enabling seamless single sign-on (SSO) to vSphere’s management interface from client workstations [1], is affected by two vulnerabilities [4]. The first vulnerability, tracked as CVE-2024-22245 [1] [2] [5], is a critical flaw that could allow a remote attacker to perform an arbitrary authentication relay attack by tricking a user with the plugin installed into visiting a malicious website [1]. This vulnerability allows attackers to request Kerberos tickets [3], granting access to Active Directory Service Principal Names [2]. The second vulnerability, tracked as CVE-2024-22250 [1] [5], is of high severity and could allow a local user to hijack vCenter sessions of other users with access to the same system [1]. This vulnerability enables malicious actors to hijack an EAP session initiated by a privileged domain user [2]. These vulnerabilities were discovered by a researcher on Oct. 17, 2023, and confirmed by VMware on Dec. 1, 2023. No patch is available for these vulnerabilities [1], and users are advised to uninstall the VMware EAP [1]. VMware provides instructions for uninstalling the vulnerable features and offers alternative authentication methods in the latest platform version [1], vSphere 8 [1] [3] [4]. The EAP product was discontinued in 2021 [2], and users who have not yet removed it are urged to do so promptly to prevent exploitation [2].
Conclusion
The vulnerabilities in the VMware Enhanced Authentication Plug-in pose significant risks to users, as they could lead to unauthorized access and session hijacking. To mitigate these risks, users are strongly advised to uninstall the EAP plugin and follow VMware’s instructions for alternative authentication methods. The discontinuation of the EAP product underscores the importance of promptly removing it to prevent potential security breaches.
References
[1] https://www.scmagazine.com/news/vmware-issues-no-patch-advisory-for-critical-flaw-in-old-sso-plugin
[2] https://www.itpro.com/security/vmware-customers-advised-to-ditch-discontinued-product-due-to-critical-vulnerabilities
[3] https://www.helpnetsecurity.com/2024/02/21/cve-2024-22245-cve-2024-22250/
[4] https://dirteam.com/sander/2024/02/21/vmwares-enhanced-authentication-plug-in-is-deprecated-and-critically-vulnerable-remove-it-now-vmsa-2024-0003/
[5] https://www.darkreading.com/application-security/critical-vulnerability-vmware-vsphere-plugin-session-hijacking
