VMware has issued a critical advisory urging administrators to remove a deprecated authentication plugin, the Enhanced Authentication Plugin (EAP), from their systems due to severe security vulnerabilities. The EAP, designed to facilitate seamless login to vSphere's management interfaces, is susceptible to authentication relay and session hijack attacks, posing significant risks to Windows domain environments.
Two unpatched vulnerabilities, CVE-2024-22245 and CVE-2024-22250, have been identified, with respective CVSS scores of 9.6 and 7.8. CVE-2024-22245 allows malicious actors to relay Kerberos service tickets, potentially seizing privileged EAP sessions. Meanwhile, CVE-2024-22250 permits unauthorized users with local access to hijack privileged EAP sessions initiated by domain users.
Discovered by Ceri Coburn from Pen Test Partners, these flaws have been acknowledged by VMware as critical. The Arbitrary Authentication Relay vulnerability in EAP allows attackers to manipulate service tickets, while the Session Hijack vulnerability enables unauthorized session control by local attackers.
Though not part of VMware's core products, the EAP may have been manually installed on Windows workstations used for administrative tasks, posing a risk of unauthorized access and system compromise. VMware, opting not to patch the EAP due to its deprecation and associated risks, recommends its complete removal. The company suggests alternative authentication methods such as Active Directory over LDAPS, ADFS, Okta, and Microsoft Entra ID24.
VMware's advisory stresses the importance of adopting up-to-date and secure authentication mechanisms. Organizations utilizing the EAP are urged to promptly uninstall the plugin and transition to supported authentication methods to safeguard their environments against potential exploitation and data breaches.
