VMware is making an urgent call for admins to uninstall the now-defunct authentication plugin, EAP: CVE-2024-22245/ CVE-2024-22250
The Enhanced Authentication Plugin (EAP), once a staple for seamless vSphere management interface logins via Windows Authentication and smart card functionality, has been flagged for critical security vulnerabilities.
The CVE-2024-22245 Backstory
Introduced for enhanced security in Windows domain environments, EAP’s journey came to an official end in March 2021 with the advent of vCenter Server 7.0 Update 2, marking its deprecation. However, its legacy issues linger, posing significant security risks through two vulnerabilities, CVE-2024-22245 and CVE-2024-22250, both left unpatched until recently.
CVE-2024-22245, with a Common Vulnerability Scoring System (CVSSv3) base score of 9.6, and CVE-2024-22250, scored at 7.8, expose systems to authentication relay and session hijack attacks. These flaws could enable attackers to exploit Kerberos service tickets, allowing them to take over privileged sessions within the EAP. Specifically, CVE-2024-22245 involves a method where an attacker could deceive a domain user into relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs), while CVE-2024-22250 could let an attacker with local access to a Windows system hijack a privileged session.
Mitigation Measures
VMware’s immediate recommendation for admins is to remove the EAP to safeguard against these vulnerabilities. This involves uninstalling both the in-browser plugin and the associated Windows service, with VMware providing PowerShell commands for those who need to execute these actions manually.
Fortunately, the EAP is not a default component of VMware’s core offerings like vCenter Server, ESXi, or Cloud Foundation, meaning its removal should not impact the majority of VMware environments. It’s an optional install, primarily used on Windows workstations for admin tasks via the vSphere Client web interface.
Looking Ahead
As VMware transitions from the EAP, it’s steering customers towards more secure authentication methods available in vSphere 8, including Active Directory over LDAPS, Microsoft AD Federation Services, Okta, and Microsoft Entra ID. This shift aligns with modern security practices and mitigates the vulnerabilities associated with the deprecated plugin.
Recent Exploits and the Path Forward
This announcement comes in the wake of the active exploitation of another critical vCenter Server vulnerability, CVE-2023-34048, which saw abuse by the UNC3886 Chinese cyber espionage group for over two years. This in a week when we’ve also seen a critical vulnerability in Microsoft Office Suite (CVE-2024-21413) and when early 2024 cybersecurity statistics are already making for sobering reading. The persistent security challenges highlight the evolving threat landscape and the importance of maintaining up-to-date security measures.
A Unified Effort
The collaborative effort in identifying and addressing these vulnerabilities, notably reported by Ceri Coburn from Pen Test Partners, underscores the importance of community vigilance. As our digital biome continues to grow, so too does the sophistication of threats. VMware’s recent advisories serve as a sobering reminder of the need for continuous monitoring, swift action to remediate known vulnerabilities, and a preventative approach to unknown cybersecurity vulnerabilities.
In essence, while it is possible to ringfence or modernize legacy applications, and while the deprecation of the Enhanced Authentication Plugin marks the end of an era, it also signifies a move towards more secure, resilient cybersecurity frameworks. By prioritizing advanced authentication methods and adhering to best practices for software deprecation, organizations can better protect themselves against the ever-changing tapestry of cyber threats and better ensure cybersecurity business continuity.
Would you like to stay up to date on the latest and most critical vulnerabilities, plus our SOC-enablement highlights from our blog? If so, check out the TrueFort Bulletin—our monthly newsletter—with exclusive monthly articles, in-depth analyses, and the latest security updates.
