VMware has requested the users to uninstall a deprecated Enhanced Authentication Plug-in (EAP) in response to two vulnerabilities. Tracked as CVE-202402245 and CVE-2024-22250, the vulnerabilities have critical and important severity ratings, respectively.
VMware announced the deprecation of the EAP in 2021 with the release of vCenter Server 7.0u2.
VMware Enhanced Authentication Plug-in is a software package that allows users to log in to vSphere’s management tools and interfaces through a web browser. EAP provides Windows authentication and Windows-based smart card support.
CVE-2024-22245: Arbitrary Authentication Relay Vulnerability in Deprecated EAP Browser Plug-in
The vulnerability has been given a CVSSv3 base score of 9.6. Attackers must have EAP installed in their web browser to exploit the vulnerability. On successful exploitation, an attacker may trick a user into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs).
CVE-2024-22250: Session Hijack Vulnerability in Deprecated EAP Browser Plug-in
The vulnerability has been given a CVSSv3 base score of 7.8. Attackers must have unprivileged local access to a Windows operating system to exploit the vulnerability. On successful exploitation, an attacker may hijack a privileged EAP session when initiated by a privileged domain user on the same system.
Affected Versions
The vulnerabilities affect VMware Enhanced Authentication Plug-in version 6.7.0.
Mitigation
VMware has released patches to address the vulnerabilities.
For more information about the mitigation, please refer to VMware Security Advisory (VMSA-2024-0003).
Qualys Detection
Qualys customers can scan their devices with QID 379396 to detect vulnerable assets. The QID checks for vulnerable versions of VMware Enhanced Authentication Plug-in 6.7.0 by checking the Windows registry.
EVALUATE Vendor-Suggested Mitigation/Workaround with Policy Compliance (PC)
With Qualys Policy Compliance’s Out-of-the-Box Mitigation or Compensatory Controls, the risk of a vulnerability being exploited is reduced when the remediation (fix/patch) cannot be implemented immediately.
Qualys Policy Compliance team releases these exclusive controls based on Vendor-suggested Mitigation/Workaround.
Mitigation refers to a setting, common configuration, or general best practice existing in a default state that could reduce the severity of exploitation of a vulnerability.
A workaround is a method, sometimes used temporarily, for achieving a task or goal when the usual or planned method isn’t working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned.
The following Qualys Policy Compliance Control IDs (CIDs) and System Defined Controls (SDC) have been published to support the evaluation of the recommended workaround:
- 14916 Status of Windows Services
- 27599 Status of the ‘VMware Cip Message Proxy’ Service
- 2161 Current list of ‘Required software applications installed’
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://kb.vmware.com/s/article/96442
https://www.vmware.com/security/advisories/VMSA-2024-0003.html