Critical
VMSA-2024-0003
9.6 – 7.8
2024-02-20
2024-02-20 (Initial Advisory)
CVE-2024-22245, CVE-2024-22250
Addressing Arbitrary Authentication Relay and Session Hijack Vulnerabilities in Deprecated VMware Enhanced Authentication Plug-in (EAP) (CVE-2024-22245, CVE-2024-22250)
1. Impacted Products
VMware Enhanced Authentication Plug-in (EAP)
2. Introduction
Arbitrary Authentication Relay and Session Hijack vulnerabilities in the deprecated VMware Enhanced Authentication Plug-in (EAP) were responsibly reported to VMware. Guidance is available on removing this deprecated component from impacted environments.
3a. Arbitrary Authentication Relay Vulnerability in Deprecated EAP Browser Plugin (CVE-2024-22245)
Description
The VMware Enhanced Authentication Plug-in (EAP) contains an Arbitrary Authentication Relay vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.6.
Known Attack Vectors
A malicious actor could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs).
Resolution
Workarounds
None.
Additional Documentation
A supplemental FAQ was created for clarification. Please see: https://via.vmw.com/vmsa-2024-0003-qna
Notes
Acknowledgements
VMware would like to thank Ceri Coburn from Pen Test Partners for reporting this issue to us.
3b. Session Hijack Vulnerability in Deprecated EAP Browser Plugin (CVE-2024-22250)
Description
The VMware Enhanced Authentication Plug-in (EAP) contains a Session Hijack vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.
Known Attack Vectors
A malicious actor with unprivileged local access to a windows operating system can hijack a privileged EAP session when initiated by a privileged domain user on the same system.
Resolution:
Workarounds
None.
Additional Documentation
A supplemental FAQ was created for clarification. Please see: https://via.vmw.com/vmsa-2024-0003-qna
Notes
Acknowledgements
VMware would like to thank Ceri Coburn from Pen Test Partners for reporting this issue to us.
Response Matrix
4. References
Fixed Version(s) and Release Notes:
https://kb.vmware.com/s/article/96442
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22245
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22250
FIRST CVSSv3 Calculator:
CVE-2024-22245: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE-2024-22250: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
5. Change Log
2024-02-20 VMSA-2024-0003
Initial security advisory.
6. Contact
E-mail: security@vmware.com
PGP key at:
https://kb.vmware.com/kb/1055
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Twitter
https://twitter.com/VMwareSRC
Copyright 2024 Broadcom. All rights reserved.
Read full article (vmware.com)
All content and images belong to their respected owners, this article is curated for informational purposes only.