VMware has issued a security advisory to IT administrators urging them to remove an out-of-date plugin for its VSphere software after two flaws were discovered, which could allow hackers to hijack cloud computing sessions. The vulnerabilities, tracked as CVE-2024-22245 and CVE-2024-22250, were found in the VMware Enhanced Authentication Plug-in (EAP), and were rated 9.6 and 7.8 in terms of severity, respectively.
The first vulnerability, CVE-2024-22245, is an arbitrary authentication relay vulnerability that allows threat actors to relay Kerberos service tickets and take control of privileged EAP sessions. The second flaw, CVE-2024-22250, allows a malicious actor with unprivileged local access to a Windows OS to hijack a privileged EAP session initiated by a privileged domain user on the same system. These vulnerabilities were discovered by Ceri Coburn at Pen Test Partners and were responsibly disclosed to VMware on October 17th.
VMware has confirmed that the vulnerabilities have not yet been exploited by threat actors, however, they have taken proactive measures to address the issue as such exploits could have significant implications for the security of cloud environments. The company has provided detailed instructions on its website for removing the vulnerable EAP plugin from affected systems.
Despite the discontinuation of EAP by VMware in March 2021 with the launch of vCenter Server 7.0 Update 2, the vSphere 7 product line that uses the plug-in remains supported until April 2025. However, it should be noted that the EAP plugin is not included in VMware’s vCenter Server, ESXi, or Cloud Foundation products by default. It needs to be manually installed on Windows workstations used for administrative tasks.
To remove the vulnerable plugin, VMware has provided three different options for administrating HR administrators: using the control panel or the installer, or by using PowerShell. The company has also advised administrators to consider using alternative authentication methods such as Active Directory over LDAPS, Microsoft Active Directory Federation Services (ADFS), Okta, and Microsoft Entra ID (formerly Azure AD) as safer alternatives to using EAP.
It is unclear why it took several months for VMware to release a vulnerability advisory and mitigation, and why the decision to forgo patching EAP was made. However, security researchers and VMware have underlined the importance of removing the EAP plugin as soon as possible to mitigate the risk of it being exploited.
In conclusion, VMware customers using vSphere need to take proactive steps to remove the EAP plugin from their systems to ensure the security of their cloud environments. By following the step-by-step instructions provided by VMware, they can protect their infrastructure from potential attacks stemming from these vulnerabilities.