VMware pushes admins to uninstall vulnerable, deprecated vSphere plugin (CVE-2024-22245, CVE-2024-22250)

VMware Enhanced Authentication Plug-in (EAP), a plugin for VMware vSphere, has two vulnerabilities (CVE-2024-22245, CVE-2024-22250) that could be exploited by attackers to mount authentication relay and session hijack attacks.

The vulnerabilities haven’t been and won’t be fixed. Instead, VMware is urging admins to remove the EAP plugin, whose deprecation was announced back in 2021.

About the vulnerabilities (CVE-2024-22245, CVE-2024-22250)

The EAP plugin gets installed on client workstations to allow single sign-on (SSO) to vSphere’s management interfaces and tools, but it’s not installed by default.

CVE-2024-22245 is an arbitrary authentication relay vulnerability exploitable via a malicious public website to request arbitrary Kerberos service tickets on behalf of the user visiting it.

CVE-2024-22250, a session hijack vulnerability, allows “local users to request Kerberos tickets from other users during authentication to the VMware vSphere web console” – as explained by Ceri Coburn, an infosec consultant with Pen Test Partners, who reported the two flaws back in October 2023.

“Unlike the first CVE, this one does not require an interaction with a suspicious website. The attacker simply waits for the authentication to occur to a legitimate vCenter login page to hijack the user session.”

Coburn has shared some technical details about the CVEs and explained how they can be exploited.

What to do?

VMware “is not aware of any ‘in the wild’ exploitation of these vulnerabilities.”

The company has outlined the process of removing the deprecated plugin, which includes two steps: removing the in-browser plugin/client and removing the associated Windows service (“VMware Plug-in Service”).

In case the plugin cannot be unistalled, admins should stop/disable the Windows service or firewall inbound/outbound TCP traffic to vmware-plugin:8094.

Coburn also expressed his disatisfaction with how long it took VMware to analyze his findings as well as with their chosen course of action.

“Unfortunately, VMware have decided not to fix the issue as they deem the enhanced authentication plugin as no longer supported, even though the vSphere 7 product line that uses the plugin remains supported until April 2025. Unfortunately, this does mean that you will no longer be able to perform SSO based authentication to the vSphere v7 web console and will be forced to upgrade to the v8 product line even though v7 is still supported if you still wish to leverage SSO,” he noted.

“VMware vSphere 8 supports a range of authentication methods, including connections to Active Directory over LDAPS, Microsoft Active Directory Federation Services (ADFS), Okta, and Microsoft Entra ID (formerly Azure AD),” Vmware said. “We recommend configuring one of these sources.”