SB2024022050 - Multiple vulnerabilities in VMware Enhanced Authentication Plug-in (EAP)

Description

This security bulletin contains information about 2 vulnerabilities.

1) Authentication bypass by capture-replay (CVE-ID: CVE-2024-22245)

CWE-ID: CWE-294 - Authentication Bypass by Capture-replay

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to arbitrary authentication relay issue. A remote attacker trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs).

2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-22250)

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to hijack victim's session.

The vulnerability exists due to the way EAP initiates and handles sessions with the AD. A local user can hijack a privileged EAP session when initiated by a privileged domain user on the same system.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://www.vmware.com/security/advisories/VMSA-2024-0003.html
• https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24257