VMware alerts of Enhanced Authentication Plugin critical vulnerability, urges removal

VMware has issued an urgent advisory to administrators to remove a legacy authentication plugin, the VMware Enhanced Authentication Plugin (EAP), which has serious security vulnerabilities.

The plugin, intended to facilitate seamless login to vSphere's management interfaces through integrated Windows Authentication and Windows-based smart card functionality, has been found susceptible to authentication relay and session hijack attacks in Windows domain environments. The vulnerabilities, which have not been patched, are tracked as:

• CVE-2024-22245 (CVSS score 9.6) enables attackers to manipulate Kerberos service ticket relaying to target arbitrary Active Directory Service Principal Names (SPNs), potentially leading to unauthorized access.
• CVE-2024-22250 (CVSS score 7.8) allows local attackers with non-privileged access to a Windows system to hijack sessions initiated by privileged users, posing a significant risk to system security.

VMware had already announced the phasing out of the EAP nearly three years ago, in March 2021, with the rollout of vCenter Server 7.0 Update 2, highlighting the company's move towards more secure and modern authentication solutions.

EAP is not a component of VMware's core products like vCenter Server, ESXi, or Cloud Foundation and must be manually installed on Windows workstations. For secure authentication, VMware advises the use of alternative methods compatible with VMware vSphere 8, including Active Directory over LDAPS, Microsoft Active Directory Federation Services (ADFS), Okta, and Microsoft Entra ID (formerly Azure AD)

To mitigate the risks associated with these vulnerabilities, VMware recommends the complete removal of both the in-browser plugin/client and the associated Windows service. Detailed instructions for removal or disabling the service are provided through PowerShell commands.