21 February 2024

VMware urges admins to uninstall vulnerable authentication plugin


VMware urges admins to uninstall vulnerable authentication plugin

VMware has strongly recommended system administrators uninstall a deprecated authentication plugin due to two critical security vulnerabilities posing risks to Windows environments.

The vulnerable plugin, VMware Enhanced Authentication Plug-in (EAP), provides integrated Windows authentication and Windows-based smart card functionality. Although the plugin was deprecated in March 2021 with the release of vCenter Server 7.0 Update 2, it still remains in use.

The two vulnerabilities, tracked as CVE-2024-22245 and CVE-2024-22250, enable threat actors to execute authentication relay and session hijack attacks.

Malicious actors can exploit CVE-2024-22245 to trick users with EAP installed in their web browsers into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs). Moreover, CVE-2024-22250 allows attackers with unprivileged local access to Windows operating systems to hijack privileged EAP sessions initiated by privileged domain users on the same system.

As of now, VMware is not aware of any “in the wild” exploitation of these vulnerabilities, the vendor said.

VMware has clarified that these vulnerabilities will not be patched due to the inherent security risks associated with using the EAP. The company recommends using alternative authentication methods, such as connecting to Active Directory over LDAPS, utilizing Active Directory federation services, Okta, or Microsoft Entra ID.


Back to the list

Latest Posts

Iranian hackers exploit RMM tools to deliver malware

Iranian hackers exploit RMM tools to deliver malware

One of the aspects of MuddyWater's strategy involves exploiting Atera's free trial offers.
24 April 2024
Ongoing malware campaign targets multiple industries, distributes infostealers

Ongoing malware campaign targets multiple industries, distributes infostealers

The campaign leverages a CDN cache domain as a download server, hosting malicious HTA files and payloads.
24 April 2024
US charges four Iranian hackers for cyber intrusions

US charges four Iranian hackers for cyber intrusions

The group targeted both both government and private entities.
24 April 2024