VMSA-2024-0003

vmware logo header

Critical


VMSA-2024-0003

9.6 – 7.8

2024-02-20

2024-02-20 (Initial Advisory)

CVE-2024-22245, CVE-2024-22250

Addressing Arbitrary Authentication Relay and Session Hijack Vulnerabilities in Deprecated VMware Enhanced Authentication Plug-in (EAP) (CVE-2024-22245, CVE-2024-22250)

1. Impacted Products



VMware Enhanced Authentication Plug-in (EAP)

2. Introduction



Arbitrary Authentication Relay and Session Hijack vulnerabilities in the deprecated VMware Enhanced Authentication Plug-in (EAP) were responsibly reported to VMware. Guidance is available on removing this deprecated component from impacted environments.

3a. Arbitrary Authentication Relay Vulnerability in Deprecated EAP Browser Plugin (CVE-2024-22245)

Description



The VMware Enhanced Authentication Plug-in (EAP) contains an Arbitrary Authentication Relay vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.6.

Known Attack Vectors



A malicious actor could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs).

Resolution



To address CVE-2024-22245 remove the EAP plugin by following the guidance in KB96442.

Workarounds



None.

Additional Documentation



A supplemental FAQ was created for clarification. Please see: https://via.vmw.com/vmsa-2024-0003-qna

Notes



Deprecation of the EAP was announced in 2021 with the release of vCenter Server 7.0u2.

Acknowledgements



VMware would like to thank Ceri Coburn from Pen Test Partners for reporting this issue to us.

3b. Session Hijack Vulnerability in Deprecated EAP Browser Plugin (CVE-2024-22250)

Description



The VMware Enhanced Authentication Plug-in (EAP) contains a Session Hijack vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

Known Attack Vectors



A malicious actor with unprivileged local access to a windows operating system can hijack a privileged EAP session when initiated by a privileged domain user on the same system.

Resolution:



To address CVE-2024-22250 remove the EAP plugin by following the guidance in KB96442.

Workarounds



None.

Additional Documentation



A supplemental FAQ was created for clarification. Please see: https://via.vmw.com/vmsa-2024-0003-qna

Notes



Deprecation of the EAP was announced in 2021 with the release of vCenter Server 7.0u2.

Acknowledgements



VMware would like to thank Ceri Coburn from Pen Test Partners for reporting this issue to us.

Response Matrix

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
VMware Enhanced Authentication Plug-in (EAP)
Any
Any
CVE-2024-22245, CVE-2024-22250
critical

None

4. References

5. Change Log



2024-02-20 VMSA-2024-0003
Initial security advisory.

6. Contact



E-mail: security@vmware.com

PGP key at:
https://kb.vmware.com/kb/1055 

VMware Security Advisories
https://www.vmware.com/security/advisories 

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html 

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html 

VMware Security & Compliance Blog  
https://blogs.vmware.com/security 

Twitter
https://twitter.com/VMwareSRC

 

Copyright 2024 Broadcom. All rights reserved.

Read full article (vmware.com)

All content and images belong to their respected owners, this article is curated for informational purposes only.

Total
0
Shares
Leave a Reply
Previous Post
citrix logo header

Virtual apps and desktops – 1912/2203 -Citrix Infrastructure / OS upgrade

Next Post
citrix logo header

PVS- 2203 CU2 || slow performance in Windows

Related Posts