In a recent security advisory, VMware has urgently recommended the removal of the enhanced authentication plug-in (EAP) due to the discovery of critical vulnerabilities named CVE-2024-22245 and CVE-2024-22250.
The deprecated EAP, which provided Windows authentication and Windows-based smart card support for VSphere, has been identified as carrying two vulnerabilities, one of which is deemed critical.
The decision to deprecate EAP was made by VMware in March 2021, and users are now advised to disable it immediately. The critical vulnerability, identified as CVE-2024-22245 with a CVSS score of 9.6, poses a risk to the users.
Decoding CVE-2024-22245 and CVE-2024-22250 Vulnerability
The CVE-2024-22245 has been categorized as an arbitrary authentication relay bug, which could potentially enable a malicious actor to deceive a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs).
Source: NIST
Additionally, the second vulnerability, labeled as CVE-2024-22250 and scoring 7.8 on the CVSS scale, has been identified as a session hijack vulnerability. This vulnerability, however, can only be exploited by a local attacker with unprivileged local access to a Windows operating system.
Source: NIST
According to VMware’s advisory, a malicious actor with such access can hijack a privileged EAP session initiated by a privileged domain user on the same system.
These critical vulnerabilities were discovered and reported by Ceri Coburn from Pen Test Partners, highlighting the importance of the best cybersecurity practices and continuous monitoring for potential threats.
VMware Advisory on the Vulnerabilities
VMware has clarified that EAP will not be patched due to inherent risks associated with its use. Organizations opting to continue using EAP would have to bypass crucial security features in their modern web browsers, a practice that is strongly discouraged.
In light of these vulnerabilities, users are encouraged to explore alternative authentication methods, including connecting to Active Directory over LDAPS, Active Directory Federation Services, Okta, and Microsoft Entra ID.
Both CVE-2024-22245 and CVE-2024-22250 threatens the security of individuals and highlights the critical importance of promptly addressing security vulnerabilities to mitigate potential risks.
For further information and guidance, users can refer to the National Vulnerability Database (NVD) and VMware’s official security advisories.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
