A discontinued authentication plugin exposed to nbsp, authentication relay, and session hijack attacks in Windows domain environments due to two unpatched security vulnerabilities was urged by VMware today.
Integrated Windows Authentication and Windows-based smart card functionality on Windows client systems enable seamless login to vSphere’s management interfaces thanks to the vulnerability-prone VMware Enhanced Access Plug-in ( EAP ).
With the release of vCenter Server 7.0 Update 2 in March 2021, VMware announced, the deprecation of EAP almost three years prior.
Malicious attackers can relay Kerberos service tickets and take control of privileged EAP sessions using the two security flaws tracked as CVE-2024- 22245 ( 9.6 / 10 , CVSSv3 base score ) and the 22250 ( 7.8/10 ).
When describing the CVE-2024–22245 known attack vectors, VMware explains that” A malicious actor could trick a target domain user into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names ( SPNs )” with EAP installed in their web browser.
A privileged domain user on the same system can start a malicious actor with unprivileged local access to the Windows operating system, the company added, adding CVE-2024-22250.
The business added that there is currently no proof that the security flaws have been intentionally targeted or taken advantage of.
How to protect systems that are vulnerable
Administrators must remove both the Windows service (VMware Plug-in Service ) and the in-browser plugin/client ( 6.7.0) in order to fix the CVE-2024- 22245 security flaws.
You can use the following PowerShell commands ( as suggested here ) to remove them or disable the Windows service if removal is not an option:
Uninstall—————————(Get-WmiObject -Class Win32_Product | Where-Object{$_.Name.StartsWith("VMware Enhanced Authentication Plug-in")}).Uninstall()(Get-WmiObject -Class Win32_Product | Where-Object{$_.Name.StartsWith("VMware Plug-in Service")}).Uninstall()Stop/Disable service————————————————————Stop-Service -Name "CipMsgProxyService"Set-Service -Name "CipMsgProxyService" -StartupType "Disabled"Fortunately, neither VMware’s vCenter Server, ESXi, nor Cloud Foundation products include the deprecated VMware EAP, which is not installed by default.
To enable direct login when using the VMware vSphere Client through a web browser, administrators must manually install it on Windows workstations used for administrative tasks.
VMware advises administrators to use other VMware vSphere 8 authentication methods instead of this weak auth plug-in, such as Microsoft Active Directory Federation Services ( ADFS), Okta, and Microsoft Entra ID ( previously Azure AD ).
A crucial vCenter Server remote code execution vulnerability (CVE- 2023-34048 ), which was patched in October, was confirmed by VMware last month to be active.
Mandiant revealed that, starting at least in late 2021, the UNC3886 Chinese cyber espionage group had been abusing it as a zero-day for more than two years.
Related DOD Cybersecurity Blogs
- Critical Ivanti auth bypass bug haFor two years, Chinese hackers silently exploited VMware Zero-Day Flaw.(Opens in a new browser tab)s been actively exploited, according to CISA
Uninstalling EAP Now: A Critical Flaw Risks Active Directory