Security News > 2024 > February > VMware urges admins to remove deprecated, vulnerable auth plug-in
VMware urged admins today to remove a discontinued authentication plugin exposed to authentication relay and session hijack attacks in Windows domain environments via two security vulnerabilities left unpatched.
The vulnerable VMware Enhanced Authentication Plug-in enables seamless login to vSphere's management interfaces via integrated Windows Authentication and Windows-based smart card functionality on Windows client systems.
"A malicious actor could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names," VMware explains when describing CVE-2024-22245 known attack vectors.
Luckily, the deprecated VMware EAP is not installed by default and is not a part of VMware's vCenter Server, ESXi, or Cloud Foundation products.
Admins have to manually install it on Windows workstations used for administration tasks to enable direct login when using the VMware vSphere Client through a web browser.
As an alternative to this vulnerable auth plug-in, VMware advises admins to use other VMware vSphere 8 authentication methods such as Active Directory over LDAPS, Microsoft Active Directory Federation Services, Okta, and Microsoft Entra ID. Last month, VMware also confirmed that a critical vCenter Server remote code execution vulnerability patched in October was under active exploitation.