VMware Arbitrary Authentication Relay and Session Hijack Vulnerabilities Impacting Deprecated Enhanced Authentication Plug-in (EAP) (CVE-2024-22245 & CVE-2024-22250)

Qualys Security Advisory

VMware has requested the users to uninstall a deprecated Enhanced Authentication Plug-in (EAP) in response to two vulnerabilities. Tracked as CVE-202402245 and CVE-2024-22250, the vulnerabilities have critical and important severity ratings, respectively.

VMware announced the deprecation of the EAP in 2021 with the release of vCenter Server 7.0u2.

VMware Enhanced Authentication Plug-in is a software package that allows users to log in to vSphere’s management tools and interfaces through a web browser. EAP provides Windows authentication and Windows-based smart card support.

CVE-2024-22245: Arbitrary Authentication Relay Vulnerability in Deprecated EAP Browser Plug-in

The vulnerability has been given a CVSSv3 base score of 9.6. Attackers must have EAP installed in their web browser to exploit the vulnerability. On successful exploitation, an attacker may trick a user into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs).

CVE-2024-22250: Session Hijack Vulnerability in Deprecated EAP Browser Plug-in

The vulnerability has been given a CVSSv3 base score of 7.8. Attackers must have unprivileged local access to a Windows operating system to exploit the vulnerability. On successful exploitation, an attacker may hijack a privileged EAP session when initiated by a privileged domain user on the same system.

Affected Versions

The vulnerabilities affect VMware Enhanced Authentication Plug-in version 6.7.0.

Mitigation

Please refer to VMware Security Advisory (VMSA-2024-0003) and .

Qualys Detection

Qualys customers can scan their devices with QID 379396 to detect vulnerable assets. The QID checks for vulnerable versions of VMware Enhanced Authentication Plug-in 6.7.0 by checking the Windows registry.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://kb.vmware.com/s/article/96442  
https://www.vmware.com/security/advisories/VMSA-2024-0003.html

READ MORE