VMware is urging network administrators to remove an out-of-date plug-in for its VSphere, which has two flaws — one of them critical — that can allow attackers with access to a Windows client system to hijack cloud computing sessions.

VMware this week released a security advisory addressing the flaws — one tracked as CVE-2024-22245, with a severity rating of 9.6, and one tracked as CVE-2024-22250, with a severity rating of 7.8 — which are found in VMware Enhanced Authentication Plug-in (EAP). EAP makes it easy to sign in to vSphere's management interfaces via integrated Windows Authentication and Windows-based smart-card functionality on Windows client systems, according to a blog post by vulnerability-detection security firm Vulnera.

CVE-2024-22245 is an arbitrary authentication relay vulnerability, while CVE-2024-22250 is a session-hijack flaw, according to VMware. Threat actors can exploit CVE-2024-22245 "to relay Kerberos service tickets and seize control of privileged EAP sessions," while CVE-2024-22250 can be used by a malicious actor with unprivileged local access to a Windows OS to "hijack a privileged EAP session when initiated by a privileged domain user on the same system," according to Vulnera.

The company credited Ceri Coburn at Pen Test Partners for discovering the vulnerabilities and responsibly disclosing them, which according to a blog post published today by Pen Test was done on Oct. 17. VMware did not offer an explanation for why it took several months to release a vulnerability advisory and mitigation.

How the Flaws Work

EAP creates a seamless login experience for the Web console of vSphere, VMware's virtualization platform that creates aggregated cloud computing infrastructures composed of CPU, storage, and networking resources out of data center environments.

Digging further into the flaws, the critical CVE-2024-22245 is a Kerberos relay vulnerability that allows a malicious website to trigger the same authentication flow that the typical vCenter login page uses, according to Pen Test's blog post. In this scenario, EAP will notify the end user that a website is trying to communicate with the plug-in, which the user must accept; however, an unsuspecting user who accepts the request is then vulnerable to attack.

"A malicious website can then request Kerberos tickets for any service within the victim's Active Directory network as the victim user," according to Pen Test's posting.

Meanwhile, CVE-2024-22250 is related to weak permissions set on the VMware EAP log file stored within the ProgramData folder. Because the log file is configured to allow any local user to read it, an attacker can set up an automated script to read from the log file and listen for new session IDs, according to Pen Test.

Once a new session ID is logged, an attacker can request arbitrary service tickets on behalf of users within other sessions, and then access Kerberos-related services configured within the Active Directory network as the hijacked user from the other session.

"Unlike the first CVE, this one does not require an interaction with a suspicious website," according to Pen Test. "The attacker simply waits for the authentication to occur to a legitimate vCenter login page, [then hijacks] the user session."

Remove Vulnerable Plug-in Now

VMware has responded not by patching EAP — which was discontinued by VMware in March 2021 with the launch of vCenter Server 7.0 Update 2 — but it's giving administrators step-by-step instructions in an article on its website that explains how it can be removed.

So far, there is no evidence that the flaws have been exploited by threat actors, according to VMware. However, historically, threat actors pounce on VMware flaws because of the opportunity they present to compromise a cloud environment and thus provide access to myriad enterprise resources and data. For instance, despite being patched, attackers pummeled a previously disclosed VMware ESXi hypervisor flaw that was exploitable in many ways for years. Thus, mitigating risk by removing EAP as soon as possible is crucial, VMware and security researchers alike said.

Pen Test deemed the move to forgo patching "unfortunate," as the vSphere 7 product line that uses the plug-in remains supported until April 2025. But in some good news for VMware customers, systems using vSphere will not have EAP installed by default, nor is the plug-in included in VMware's vCenter Server, ESXi, or Cloud Foundation products. Administrators have to manually install EAP on Windows workstations used for administrative tasks to enable direct login when using the VMware vSphere Client via a Web browser, according to Vulnera.

VMware has instructed clients using EAP to remove both entities that comprise the plug-in (the in-browser plug-in/client "VMware Enhanced Authentication Plug-in 6.7.0" and the Windows service "VMware Plug-in Service"). If this is not possible, administrators also can disable the Windows service.

VMware presents three options for removing each of these components from either the control panel or the installer, or by using PowerShell, according to its instructions. The company also presented safer alternatives to using EAP, including VMware vSphere 8 authentication methods such as Active Directory over LDAPS, Microsoft Active Directory Federation Services (ADFS), Okta, and Microsoft Entra ID (formerly Azure AD).