VMware Urges Removal of Deprecated, Vulnerable Authentication Plug-in
February 20, 2024
VMware has issued a call to administrators today, urging them to remove a discontinued authentication plugin that is exposed to authentication relay and session hijack attacks in Windows domain environments. This is due to two security vulnerabilities that have been left unpatched. The vulnerable plugin in question is the VMware Enhanced Authentication Plug-in (EAP), which allows for smooth login to vSphere's management interfaces through integrated Windows Authentication and Windows-based smart card functionality on Windows client systems.
VMware had announced the deprecation of the EAP almost three years ago, in March 2021, coinciding with the release of vCenter Server 7.0 Update 2. The two security flaws being addressed now are tracked as CVE-2024-22245 (with a 9.6/10 CVSSv3 base score) and CVE-2024-22250 (7.8/10). These vulnerabilities can be exploited by malicious actors to relay Kerberos service tickets and commandeer privileged EAP sessions.
VMware provided a description of the known attack vectors for CVE-2024-22245: "A malicious actor could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs)." As for CVE-2024-22250, the company stated: "A malicious actor with unprivileged local access to a Windows operating system can hijack a privileged EAP session when initiated by a privileged domain user on the same system."
VMware has stated that it currently has no evidence that these security vulnerabilities have been targeted or exploited in the wild. To mitigate the CVE-2024-22245 and CVE-2024-22250 security flaws, administrators are advised to remove both the in-browser plugin/client (VMware Enhanced Authentication Plug-in 6.7.0) and the Windows service (VMware Plug-in Service). If removal is not an option, disabling the Windows service is recommended.
It's important to note that the deprecated VMware EAP is not installed by default and is not part of VMware's vCenter Server, ESXi, or Cloud Foundation products. Administrators have to manually install it on Windows workstations used for administration tasks to enable direct login when using the VMware vSphere Client through a web browser.
As a safer alternative to this vulnerable authentication plug-in, VMware suggests admins use other VMware vSphere 8 authentication methods such as Active Directory over LDAPS, Microsoft Active Directory Federation Services (ADFS), Okta, and Microsoft Entra ID (formerly Azure AD).
In a separate development last month, VMware confirmed that a critical vCenter Server remote code execution vulnerability (CVE-2023-34048) patched in October was being actively exploited. Mandiant revealed that the UNC3886 Chinese cyber espionage group had been exploiting it as a zero-day for more than two years, since at least late 2021.
Related News
- CISA Adds VMware vCenter Server Bug to Known Exploited Vulnerabilities Catalogue
- Chinese Hackers Utilized VMware Vulnerability as Zero-Day for Two Years
- Critical vCenter Server Vulnerability Now Actively Exploited
- Critical Unpatched Authentication Bypass Vulnerability Affects VMWare's Cloud Director Appliance
- VMware Addresses Critical Code Execution Vulnerability in vCenter Server
Latest News
- CISA Mandates Immediate Fix for ConnectWise ScreenConnect Vulnerability
- Apple Shortcuts Zero-Click Vulnerability Enables Covert Data Theft
- LockBit Ransomware Attacks Exploit ScreenConnect Servers Vulnerability
- Joomla Addresses XSS Vulnerabilities Potentially Leading to RCE Attacks
- ScreenConnect Under Attack Following Disclosure of Critical Bugs
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.