Security News > 2024 > February > VMware pushes admins to uninstall vulnerable, deprecated vSphere plugin (CVE-2024-22245, CVE-2024-22250)

VMware Enhanced Authentication Plug-in, a plugin for VMware vSphere, has two vulnerabilities that could be exploited by attackers to mount authentication relay and session hijack attacks.

Instead, VMware is urging admins to remove the EAP plugin, whose deprecation was announced back in 2021.

CVE-2024-22250, a session hijack vulnerability, allows "Local users to request Kerberos tickets from other users during authentication to the VMware vSphere web console" - as explained by Ceri Coburn, an infosec consultant with Pen Test Partners, who reported the two flaws back in October 2023.

In case the plugin cannot be unistalled, admins should stop/disable the Windows service or firewall inbound/outbound TCP traffic to vmware-plugin:8094.

"Unfortunately, VMware have decided not to fix the issue as they deem the enhanced authentication plugin as no longer supported, even though the vSphere 7 product line that uses the plugin remains supported until April 2025. Unfortunately, this does mean that you will no longer be able to perform SSO based authentication to the vSphere v7 web console and will be forced to upgrade to the v8 product line even though v7 is still supported if you still wish to leverage SSO," he noted.

"VMware vSphere 8 supports a range of authentication methods, including connections to Active Directory over LDAPS, Microsoft Active Directory Federation Services, Okta, and Microsoft Entra ID," Vmware said.

News URL

https://www.helpnetsecurity.com/2024/02/21/cve-2024-22245-cve-2024-22250/