VMware has strongly recommended system administrators uninstall a deprecated authentication plugin due to two critical security vulnerabilities posing risks to Windows environments.
The vulnerable plugin, VMware Enhanced Authentication Plug-in (EAP), provides integrated Windows authentication and Windows-based smart card functionality. Although the plugin was deprecated in March 2021 with the release of vCenter Server 7.0 Update 2, it still remains in use.
The two vulnerabilities, tracked as CVE-2024-22245 and CVE-2024-22250, enable threat actors to execute authentication relay and session hijack attacks.
Malicious actors can exploit CVE-2024-22245 to trick users with EAP installed in their web browsers into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs). Moreover, CVE-2024-22250 allows attackers with unprivileged local access to Windows operating systems to hijack privileged EAP sessions initiated by privileged domain users on the same system.
As of now, VMware is not aware of any “in the wild” exploitation of these vulnerabilities, the vendor said.
VMware has clarified that these vulnerabilities will not be patched due to the inherent security risks associated with using the EAP. The company recommends using alternative authentication methods, such as connecting to Active Directory over LDAPS, utilizing Active Directory federation services, Okta, or Microsoft Entra ID.