This week, VMware published a security advisory addressing two vulnerabilities detected in the VMware Enhanced Authentication Plug-in (EAP): one recorded as CVE-2024-22245, with a severity rating of 9.6, and another tracked as CVE-2024-22250, with a rating of 7.8.
Background:
The VMware Enhanced Authentication Plug-in (EAP), which enables seamless login to vSphere’s administration interfaces via integrated Windows Authentication and Windows-based smart card capability on Windows client computers, is the vulnerable plugin in question.
CVE-2024-22245 – Arbitrary Authentication Relay Vulnerability:
As to Pen Test’s blog post, the significant CVE-2024-22245 is a Kerberos relay vulnerability that permits a rogue website to initiate the same authentication procedure as the standard vCenter login page employs. In this case, the plug-in will attempt to interact with the website, and EAP will alert the user to this. The user will then have to accept the request, leaving them open to attack.
“A malicious website can then request Kerberos tickets for any service within the victim’s Active Directory network as the victim user,” according to the posting by Pen Test.
CVE-2024-22250 – Session Hijack Vulnerability:
Weak permissions on the VMware EAP log file stored in the ProgramData folder are the cause of CVE-2024-22250. According to Pen Test, an attacker can build up an automated script to read from the log file and listen for new session IDs because it is designed to allow any local user to view it.
An attacker can request arbitrary service tickets on behalf of users in other sessions once a new session ID is logged. They can then utilize the hijacked user from the other session to access Kerberos-related services configured within the Active Directory network.
“Unlike the first CVE, this one does not require an interaction with a suspicious website,” stated Pen Test. “The attacker simply waits for the authentication to occur to a legitimate vCenter login page, [then hijacks] the user session.”
Impact:
Impacted Product:
VMware Enhanced Authentication Plug-in (EAP)
VMware’s main products, including vCenter Server, ESXi, or Cloud Foundation, do not include the deprecated EAP, nor is it installed by default.
Nevertheless, on Windows PCs used for administrative duties, it can have been manually installed.
Organizations may be vulnerable to unauthorized access and control over their virtualized environments as a result of these EAP vulnerabilities, which could result in data breaches and system outages.
Recommendations:
Because the EAP is out of date and circumvents contemporary web browser security measures, VMware has chosen not to fix it.
VMware advises not using the EAP at all in order to protect systems against any intrusions.
PowerShell commands from the company can be used to remove both the plugin and the related Windows service.
Uninstall EAP:
(Get-WmiObject -Class Win32_Product | Where-Object{$_.Name.StartsWith(“VMware Plug-in Service”)}).Uninstall()
Stop and disable the Windows service:
Stop-Service-Name”CipMsgProxyService”
Set-Service-Name”CipMsgProxyService”-StartupType”Disabled”
The VMware FAQ states that although there is still a link to install VMware EAP on the vSphere Client login screen, it will be removed in an upcoming version.
The VMware EAP is still the sole method for SSO authentication for vSphere 7, even though it was deprecated in 2021. vSphere 7 will be supported until April 2025.
According to VMware, more authentication options are available with the most recent platform version, vSphere 8, via the Lightweight Directory Access Protocol over SSL (LDAPS), Microsoft Active Directory Federation Services (ADFS), Okta, and Microsoft Entra ID (previously Azure AD).
To defend against CVE-2024-22245 or CVE-2024-22250, users do not need to patch VMware vCenter Server, VMware ESXi, or VMware Cloud Foundation.
References:
- https://kb.vmware.com/s/article/96442
- https://www.vmware.com/security/advisories/VMSA-2024-0003.html