Tech Support
Documentation
Login
Contact Us
VMWare Urges Users to Uninstall EAP Immediately
Rohan Timalsina
March 6, 2024 - TuxCare expert team
VMware has issued a no-patch advisory urging users to take swift action by removing the deprecated Enhanced Authentication Plug-in (EAP). EAP was deprecated nearly three years ago, in March 2021, with the rollout of vCenter Server 7.0 Update 2. However, the discovery of an arbitrary authentication relay flaw in EAP, identified as CVE-2024-22245 with a significant CVSS score of 9.6, has sent shockwaves through the virtualization community.
The deprecated Enhanced Authentication Plugin (EAP), once a stalwart component facilitating seamless login to vSphere management interfaces, now stands as a potential gateway for threat actors. VMware’s warning underscores the gravity of the situation: a malicious actor could exploit this vulnerability to manipulate domain users with EAP installed in their web browsers into unwittingly relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs).
The implications of CVE-2024-22245 extend beyond mere inconvenience. They strike at the heart of virtual infrastructure security, underscoring the imperative for proactive measures. Ceri Coburn from Pen Test Partners, the individual responsible for responsibly reporting these vulnerabilities, has shed light on the severity of the situation.
Moreover, VMware has also discovered a session hijack vulnerability, CVE-2024-22250, with a CVSS score of 7.8. This vulnerability, allowing a malicious actor with unprivileged local access to a Windows operating system to hijack a privileged EAP session, further underscores the multifaceted nature of the threat landscape.
Mitigation Measures
In light of these vulnerabilities, users are urged to prioritize security measures, which is uninstalling the deprecated Enhanced Authentication Plugin (EAP). To mitigate the CVE-2024-22245 and CVE-2024-22250, administrators must uninstall both the in-browser plugin/client (VMware Enhanced Authentication Plug-in 6.7.0) and the Windows service (VMware Plug-in Service).
Instead of this vulnerable authentication plugin, VMware suggests administrators utilize other authentication methods available in VMware vSphere 8, such as Active Directory over LDAPS, Microsoft Active Directory Federation Services (ADFS), Okta, and Microsoft Entra ID (formerly Azure AD).
The sources for this article include a story from BleepingComputer.
