VMSA-2024-0003:Addressing Arbitrary Authentication Relay and Session Hijack Vulnerabilities in Deprecated VMware Enhanced Authentication Plug-in (EAP) (CVE-2024-22245, CVE-2024-22250)

24257

07 May 2024

07 May 2024

CLOSED

CRITICAL

9.6 - 7.8

None

CVE-2024-22245, CVE-2024-22250

VMSA-2024-0003
9.6 - 7.8
2024-02-20
2024-02-20 (Initial Advisory)
CVE-2024-22245, CVE-2024-22250
Addressing Arbitrary Authentication Relay and Session Hijack Vulnerabilities in Deprecated VMware Enhanced Authentication Plug-in (EAP) (CVE-2024-22245, CVE-2024-22250)
 
1. Impacted Products

VMware Enhanced Authentication Plug-in (EAP)

2. Introduction

Arbitrary Authentication Relay and Session Hijack vulnerabilities in the deprecated VMware Enhanced Authentication Plug-in (EAP) were responsibly reported to VMware. Guidance is available on removing this deprecated component from impacted environments.

3a. Arbitrary Authentication Relay Vulnerability in Deprecated EAP Browser Plugin (CVE-2024-22245)

Description

The VMware Enhanced Authentication Plug-in (EAP) contains an Arbitrary Authentication Relay vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.6.

Known Attack Vectors

A malicious actor could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs).

Resolution

To address CVE-2024-22245 remove the EAP plugin by following the guidance in KB96442.

Workarounds

None.

Additional Documentation

A supplemental FAQ was created for clarification. Please see: https://via.vmw.com/vmsa-2024-0003-qna

Notes

Deprecation of the EAP was announced in 2021 with the release of vCenter Server 7.0u2.

Acknowledgements

VMware would like to thank Ceri Coburn from Pen Test Partners for reporting this issue to us.

3b. Session Hijack Vulnerability in Deprecated EAP Browser Plugin (CVE-2024-22250)

Description

The VMware Enhanced Authentication Plug-in (EAP) contains a Session Hijack vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

Known Attack Vectors

A malicious actor with unprivileged local access to a windows operating system can hijack a privileged EAP session when initiated by a privileged domain user on the same system.

Resolution:

To address CVE-2024-22250 remove the EAP plugin by following the guidance in KB96442.

Workarounds

None.

Additional Documentation

A supplemental FAQ was created for clarification. Please see: https://via.vmw.com/vmsa-2024-0003-qna

Notes

Deprecation of the EAP was announced in 2021 with the release of vCenter Server 7.0u2.

Acknowledgements

VMware would like to thank Ceri Coburn from Pen Test Partners for reporting this issue to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
VMware Enhanced Authentication Plug-in (EAP)
Any
Any
CVE-2024-22245, CVE-2024-22250
critical
None

 

4. References
5. Change Log

2024-02-20 VMSA-2024-0003
Initial security advisory.

6. Contact

E-mail: [email protected]

PGP key at:
https://kb.vmware.com/kb/1055 

VMware Security Advisories
https://www.vmware.com/security/advisories 

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html 

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html 

VMware Security & Compliance Blog  
https://blogs.vmware.com/security 

Twitter
https://twitter.com/VMwareSRC

Copyright 2024 Broadcom. All rights reserved.