Critical vulnerability in legacy remote VMware EAP. Remediate immediately.

VMware urges customers to remove legacy Enhanced Authentication Plugin (EAP) after disclosure of critical CVE-2024-22245 vulnerability. VMware is urging customers to remove the legacy Enhanced Authentication Plugin (EAP) following the discovery of arbitrary authentication vulnerability CVE-2024-22245 (CVSS score: 9.6).

An attacker can trick a domain user with an EAP installed in a web browser into requesting and transmitting service tickets for arbitrary Active Directory Service Principal Names (SPNs). A statement released by the leading virtualization giant said, "A common confirmation relay and session hijacking vulnerabilities in VMware's legacy Extended Authentication Plugin (EAP) have been reported to VMware."

According to the document, there is no workaround for this vulnerability.

The VMware Enhanced Authentication (EAP) plug-in was specifically designed to provide seamless login to vSphere management interfaces using integrated Windows authentication and smart card functionality on Windows client systems. The plug-in has been deprecated since the release of vCenter Server 7.0u2 in 2021.

The company also addressed the presence of an EAP session hijacking vulnerability categorized as important and identified as CVE-2024-22250 (CVSS score of 7.8). "An attacker with limited local access privileges to a Windows operating system can hijack a privileged EAP session if it is initiated by a privileged domain user on the same system," it said.

Both vulnerabilities were discovered by Ceri Coburn of Pen Test Partners.