VMware urges users to uninstall the deprecated Enhanced Authentication Plugin (EAP) following the discovery of a critical security flaw.
Tracked as CVE-2024-22245 (CVSS Score: 9.6), the vulnerability was described as an arbitrary authentication forwarding bug.
“An attacker could cause a user on the target domain with EAP installed in their web browser to request and submit service tickets for arbitrary Active Directory service principal names (SPNs),” the company said in an advisory.
EAP, deprecated as of March 2021, is a software package designed to provide direct access to vSphere interfaces and management tools through a web browser. It is not included by default and is not part of vCenter Server, ESXi, or Cloud Foundation.
A session hijacking flaw (CVE-2024-22250, CVSS score: 7.8) was also discovered in the same tool that could allow an attacker with local non-privileged access to a Windows operating system to take over an EAP session privileged.
Ceri Coburn of Pen Test Partners was credited with discovering and reporting the two vulnerabilities on October 17, 2023. It is currently unclear why it took VMware several months to “advise customers to uninstall the plug-in “.
It’s worth pointing out that the shortcomings only affect users who have added EAP to Microsoft Windows systems to connect to VMware vSphere via vSphere Client.
The Broadcom-owned company said the vulnerabilities will not be addressed, instead recommending users remove the plugin altogether to mitigate potential threats.
“The Advanced Authentication plugin can be removed from client systems using the client operating system software uninstallation method,” it added.
The disclosure comes as SonarSource revealed multiple cross-site scripting (XSS) flaws (CVE-2024-21726) impacting the Joomla! content management system. It has been fixed in versions 5.0.3 and 4.4.3.
“Inadequate content filtering leads to XSS vulnerabilities in various components,” Joomla! it said in its advisory, rating the bug as moderate in severity.
“Attackers can exploit the issue to achieve remote code execution by tricking an administrator into clicking a malicious link,” said security researcher Stefan Schiller. Further technical details about the flaw are currently being withheld.
In a related development, several high-severity and critical vulnerabilities and misconfigurations have been identified in the Apex programming language developed by Salesforce to build enterprise applications.
At the heart of the problem is the ability to run Apex code in “no sharing” mode, which ignores user permissions, thus allowing malicious actors to read or exfiltrate data and even provide specially crafted input to alter the flow of execution.
“If exploited, vulnerabilities can lead to data leaks, data corruption, and corruption of business functions in Salesforce,” said Nitay Bachrach, security researcher at Varonix.