VMware urges customers to uninstall Enhanced Authentication Plugin after critical flaw disclosure

VMware has urged its customers to uninstall the Enhanced Authentication Plugin (EAP) after disclosing a critical vulnerability, CVE-2024-22245, which carries a CVSS score of 9.6. The vulnerability allows for an arbitrary authentication relay attack, in which a threat actor could trick a domain user with the EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs).

According to VMware's advisory, "A malicious actor could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs)."

The EAP plugin was designed to enable seamless login to vSphere's management interfaces through integrated Windows Authentication and Windows-based smart card functionality on Windows client systems. However, it has been deprecated since 2021 with the release of vCenter Server 7.0u2. Unfortunately, there are no workarounds for this vulnerability.

The virtualization giant also addressed another important severity session hijack vulnerability in EAP, tracked as CVE-2024-22250 (CVSS score 7.8). "A malicious actor with unprivileged local access to a Windows operating system can hijack a privileged EAP session when initiated by a privileged domain user on the same system," explains the advisory.

Both vulnerabilities were responsibly reported to VMware by Ceri Coburn of Pen Test Partners. To mitigate the risks associated with these vulnerabilities, customers are advised to uninstall the EAP plugin as soon as possible. It is important to prioritize security practices and keep up-to-date with the latest vulnerability disclosures to protect against potential threats.

Read more