VMware Warning: Uninstall Enhanced Authentication Plug-in (EAP)

Posted on 2024-02-22 by guenni

Sicherheit (Pexels, allgemeine Nutzung)[German]Virtualisation vendor VMware has just issued a security warning. It concerns the Enhanced Authentication Plug-in (EAP), which should be uninstalled as a matter of urgency. Critical vulnerabilities have been found in the Enhanced Authentication Plug-in (EAP). We do not know if EAP is still in use, as it has been retired as obsolete in 2021. In addition, EAP is not included in vCenter Server, ESXi or Cloud Foundation installations.

Advertising

I have seen the reference to security problems with the VMware Enhanced Authentication Plug-in (EAP) on X in several tweets. VMware by Broadcom published the Security Advisory VMSA-2024-0003 on 20, February 2024.

Uninstall VMware Enhanced Authentication Plug-in (EAP)

As of 9 March 2021, VMware has already announced the discontinuation of EAP in the VMware vCenter Server 7.0 Update 2 Release Notes (see section "Deprecation of SSPI, CAC and RSA" in the Product Support Notices). Now it has to be done very quickly – anyone still using this Enhanced Authentication Plug-in (EAP) for authentication should uninstall it immediately. This is because two critical vulnerabilities have been discovered in this plug-in.

  • CVE-2024-22245: AArbitrary Authentication Relay and Session Hijack vulnerability in the outdated VMware Enhanced Authentication Plug-in (EAP). The vulnerability could allow an attacker to trick a target domain user with EAP installed in their web browser by requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs). This vulnerability has a severity rating of "Critical" and has been assigned a maximum CVSSv3 base score of 9.6.
  • CVE-2024-22250: Session hijacking vulnerability in the outdated VMware Enhanced Authentication Plug-in (EAP). The vulnerability could allow an attacker with unprivileged local access to a Windows operating system to hijack a privileged EAP session if initiated by a privileged domain user on the same system. VMware has rated the severity of this vulnerability as "important", with a maximum CVSSv3 base score of 7.8.

To eliminate the vulnerabilities, administrators must uninstall the EAP plugin in their VMware products. VMware has published the instructions in KB96442 (Removing the deprecated VMware Enhanced Authentication Plugin (EAP) to address CVE-2024-22245 and CVE-2024-22250 (96442)) on 20 February 2024. EAP consists of two components:

  • In-Browser-Plugin/Client, "VMware Enhanced Authentication Plug-in 6.7.0"
  • Windows service, "VMware Plug-in Service"

According to VMware by Broadcom, both applications must be removed from the endpoint systems in order to mitigate the vulnerabilities. Details can be found in the instructions. The Hacker News has some more assessments from security experts on the vulnerabilities here. Does anyone else in the readership use EAP at all?

Advertising
Cookies helps to fund this blog: Cookie settings
Advertising

This entry was posted in Security, Software, Virtualization and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *