VMware Security Vulnerabilities

VMware Security Vulnerabilities

VMware urged admins today to remove a discontinued authentication plugin exposed to authentication relay and session hijack attacks in Windows domain environments via two security vulnerabilities left unpatched.

The EAP plugin is installed on client workstations to allow single sign-on (SSO) to vSphere’s management interfaces and tools, but it’s not installed by default.

CVE-2024-22245 is an arbitrary authentication relay vulnerability exploitable via a malicious public website to request arbitrary Kerberos service tickets on behalf of the user visiting it.

“This one does not require an interaction with a suspicious website. The attacker simply waits for the authentication to occur to a legitimate vCenter login page to hijack the user session.”

Affected Systems

-

IoC’s

-

Recommended Solution(s)

To address the CVE-2024-22245 and CVE-2024-22250 security flaws, admins have to remove both the in-browser plugin/client (VMware Enhanced Authentication Plug-in 6.7.0) and the Windows service (VMware Plug-in Service).

CVE / CWE

CVE-2024-22245

Related Website(s)

• https://nvd.nist.gov/vuln/detail/CVE-2024-22245
• https://www.vmware.com/security/advisories/VMSA-2024-0003.html

* Vulnerabilities with a CVSS 3.1 score between 7.0 and 8.9 are evaluated to be “high” whereas vulnerabilities with a CVSS 3.1 score between 9.0 and 10.0 are evaluated to be “critical”.