VMware's Enhanced Authentication Plug-in is deprecated and critically vulnerable – Remove it now (VMSA-2024-0003)

Reading Time: 2 minutes

Critical Updates

Two critical vulnerabilities in the optional Enhanced Authentication Plug-in require the immediate removal of this software from admin workstations and management servers.

 

About VMware's Enhanced Authentication Plug-in

VMware's Enhanced Authentication Plug-in (EAP) is an optional piece of software that can be downloaded from VMware's download center and can be installed om admin workstations and management servers (client-side). The plug-in allows administrators to seamlessly sign in to vCenter Server using Windows Integrated Authentication and/or Windows-based smart cards.

The Enhanced Authentication Plugin has been deprecated since the General Availability (GA) of vSphere 7.0. From vSphere 7.0u2 onward, VMware discontinued support for Windows Integrated Authentcation, smart card support and RSA SecurID for vCenter Server. VMware advises Identity Federation to sign in to vCenter Server as an alternative to using the plug-in, providing connections to Active Directory Federation Services (ADFS), Okta and Microsoft Entra ID (formerly AzureAD).

The latest version of the plug-in is version 6.7.0.

 

About the vulnerabilities in the Plug-in

VMSA-2024-0003 reports two vulnerabilities in VMware's Enhanced Authentication Plug-in:

 

Arbitrary Authentication Relay Vulnerability

The VMware Enhanced Authentication Plug-in contains an Arbitrary Authentication Relay vulnerability, tracked as CVE-2024-22245. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3.1 base score of 9.6.

An adversary could trick a vSphere admin with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs).

 

Session Hijack Vulnerability

The VMware Enhanced Authentication Plug-in contains a Session Hijack vulnerability, tracked as CVE-2024-22250. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3.1 base score of 7.8.

An adversary with unprivileged local access to a Windows operating system can hijack a privileged EAP session when initiated by a privileged domain user on the same system.

 

Call to action

Remove the VMware Enhanced Authentication Plug-in by following the guidance in VMware KB96442.

 

Further reading

VMSA-2024-0003
VMSA-2024-0003: Questions & Answers
Removing the deprecated VMware Enhanced Authentication Plugin (EAP) to address CVE-2024-22245 and CVE-2024-22250 (96442)

Posted on February 21, 2024 by Sander Berkouwer in Security, VMware, VMware vExpert

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.