VMware client plug-in has critical vulnerability

A deprecated authentication plug-in for VSphere, the enhanced authentication plug-in (EAP), carries two vulnerabilities, one critical, and should be disabled by users.

EAP provided Windows authentication and Windows-based smart card support, and VMware announced its deprecation in March 2021.

VMware’s advisory identified CVE-2024-22245 as the critical vulnerability, with a CVSS score of 9.6.

It’s an arbitrary authentication relay bug. VMware explained: “A malicious actor could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs).”

The second vulnerability, CVE-2024-22250, has a CVSS score of 7.8.

It’s a session hijack vulnerability, which can only be exploited by a local attacker.

“A malicious actor with unprivileged local access to a windows operating system can hijack a privileged EAP session when initiated by a privileged domain user on the same system,” VMware’s advisory said.

The bugs were discovered and reported by Ceri Coburn from Pen Test Partners.

Explaining why EAP won’t be patched, VMware wrote that “to use the EAP, organisations would have to bypass important security features in their modern web browsers, which is not advisable.”

Alternative authentication methods include connecting to Active Directory over LDAPS, Active Directory federation services, Okta, and Microsoft Entra ID.