VMware is urging network administrators to remove an outdated plugin for its VSphere, which has two flaws, one of them critical, that can allow attackers with access to a Windows client system to hijack cloud computing sessions.
VMware this week released a security consultancy address flaws: one plotted how CVE-2024-22245with a severity score of 9.6 and one plotted as CVE-2024-22250, with a severity level of 7.8, found in the VMware Enhanced Authentication Plug-in (EAP). EAP simplifies access to vSphere management interfaces through integrated Windows authentication and Windows-based smart card functionality on Windows client systems, according to a blog post from vulnerability detection security company Vulnera.
CVE-2024-22245 is an arbitrary authentication relay vulnerability, while CVE-2024-22250 is a session hijacking flaw, according to VMware. Threat actors can exploit CVE-2024-22245 “to escalate Kerberos service tickets and take control of privileged EAP sessions,” while CVE-2024-22250 can be used by a malicious actor with local, non-privileged access to an operating system Windows to “hijack a privileged user EAP session when initiated by a privileged domain user on the same system,” according to Vulnera.
The company credited Ceri Coburn of Pen Test Partners with discovering the vulnerabilities and disclosing them responsibly, which it said a blog post published today by Pen Test was made on October 17th. VMware did not offer an explanation for why it took several months to release an advisory and mitigation for the vulnerability.
How defects work
EAP creates a seamless access experience for the web console of vSphere, VMware’s virtualization platform that creates aggregated cloud computing infrastructures composed of CPU, storage, and networking resources outside of data center environments.
Digging further into the flaws, the critical CVE-2024-22245 is a Kerberos relay vulnerability that allows a malicious website to trigger the same authentication flow used by the typical vCenter login page, according to Pen Test’s blog post. In this scenario, EAP will alert the end user that a website is attempting to communicate with the plugin, which the user must accept; however, an unsuspecting user who accepts the request becomes vulnerable to attack.
“A malicious website can then request Kerberos tickets for any service within the victim’s Active Directory network as a victim user,” according to Pen Test’s post.
Meanwhile, CVE-2024-22250 is related to weak permissions set on the VMware EAP log file stored in the ProgramData folder. Because the log file is configured to allow any local user to read it, an attacker can set up an automated script to read from the log file and listen for new session IDs, according to Pen Test.
Once a new session ID is registered, an attacker can request arbitrary service tickets on behalf of users within other sessions and then access configured Kerberos-related services within the Active Directory network as a hijacked user from the other session.
“Unlike the first CVE, this one does not require interaction with a suspicious website,” according to Pen Test. “The attacker simply waits for authentication to occur on a legitimate vCenter login page, [then hijacks] the user session.”
Remove the vulnerable plugin now
VMware did not respond by applying the EAP patch, which was discontinued by VMware in March 2021 with the launch of vCenter Server 7.0 Update 2 – but provides administrators with detailed instructions in a file article on his website this explains how it can be removed.
So far, there is no evidence that the flaws have been exploited by threat actors, according to VMware. However, historically, threat actors pouncing on VMware’s flaws because of the opportunity that presents itself compromise a cloud environment and thus provide access to a myriad of corporate resources and data. For example, despite a patch being applied, the attackers punched a previously leaked file VMware ESXi hypervisor defect which has been exploitable in many ways for years. Therefore, mitigating the risk by removing the EAP as soon as possible is critical, both VMware and security researchers said.
Pen Test deemed the decision to forgo patching “unfortunate,” as the vSphere 7 product line using the plug-in remains supported until April 2025. But there’s good news for VMware customers: i systems using vSphere will not have EAP installed by default, nor is the plugin included in VMware’s vCenter Server, ESXior Cloud Foundation products. According to Vulnera, administrators must manually install EAP on Windows workstations used for administrative tasks to enable direct access when using VMware vSphere Client via a web browser.
VMware has required clients using EAP to remove both entities that make up the plug-in (the in-browser plug-in/client “VMware Enhanced Authentication Plug-in 6.7.0” and the Windows service “VMware Plug-in Service “). If this is not possible, administrators can also disable the Windows service.
VMware presents three options for removing each of these components from Control Panel or Setup, or by using PowerShell, according to its instructions. The company also presented more secure alternatives to using EAP, including VMware vSphere 8 authentication methods such as Active Directory over LDAPS, Microsoft Active Directory Federation Services (ADFS), Okta, and Microsoft Entra ID (formerly Azure AD).