VMware Enhanced Aut...
Clear all

VMware Enhanced Authentication Plugin (EAP) VMSA-2024-0004 Critical vulnerability

1 Posts
1 Users
Brandon Lee
Posts: 543
Member Admin
Topic starter

VMware is advising network administrators to remove an outdated VSphere plugin due to two security flaws, one critical, that could let attackers hijack cloud sessions from a Windows client. The company released a security advisory for the vulnerabilities, identified as CVE-2024-22245 (severity 9.6) and CVE-2024-22250 (severity 7.8), found in the VMware Enhanced Authentication Plugin (EAP). EAP facilitates easy login to vSphere's management interfaces using Windows Authentication and smart-card functions.

CVE-2024-22245 allows attackers to relay Kerberos tickets and take over sessions, while CVE-2024-22250 enables session hijacking by an unprivileged local user on the same Windows system. Ceri Coburn of Pen Test Partners discovered these issues, reported on October 17. Despite the delay in VMware's advisory, the vulnerabilities pose significant risks.

EAP, designed for seamless vSphere Web console login, has been discontinued since March 2021. The critical flaw, CVE-2024-22245, involves a Kerberos relay vulnerability that could let malicious sites trigger authentication flows, putting users at risk. CVE-2024-22250 stems from weak permissions on the EAP log file, allowing attackers to hijack sessions without website interaction.

VMware hasn't patched EAP but provided removal instructions on its website. There's no evidence of exploitation yet, but the potential for cloud environment compromise is high. VMware and security experts recommend prompt EAP removal. Although vSphere 7, which uses EAP, is supported until April 2025, VMware offers alternative authentication methods for newer systems, emphasizing security.

Read the official VMSA here:


Posted : 21/02/2024 11:58 am