Pierluigi Paganini February 21, 2024
VMware is urging users to uninstall the deprecated Enhanced Authentication Plugin (EAP) after the discovery of an arbitrary authentication relay flaw CVE-2024-22245 (CVSS score: 9.6).
A threat actor could trick a domain user with EAP installed in its web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs).
“Arbitrary Authentication Relay and Session Hijack vulnerabilities in the deprecated VMware Enhanced Authentication Plug-in (EAP) were responsibly reported to VMware.” reads the advisory published by the virtualization giant. “A malicious actor could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs).”
According to the advisory, there are no workarounds for this vulnerability.
The VMware Enhanced Authentication Plugin (EAP) was a software plugin designed to enable seamless login to vSphere’s management interfaces through integrated Windows Authentication and Windows-based smart card functionality on Windows client systems. The plugin was deprecated in 2021 with the release of vCenter Server 7.0u2.
The company also addressed an important severity session hijack vulnerability in EAP, tracked as CVE-2024-22250 (CVSS score 7.8).
“A malicious actor with unprivileged local access to a windows operating system can hijack a privileged EAP session when initiated by a privileged domain user on the same system.” continues the advisory.
The vulnerabilities were both reported by Ceri Coburn from Pen Test Partners.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – ransomware, CVE-2024-22245)