In a recent announcement, VMware is advising administrators to promptly remove a discontinued authentication plugin, which remains exposed to security risks, leaving Windows domain environments vulnerable to authentication relay and session hijack attacks. The affected component, the VMware Enhanced Authentication Plug-in (EAP), facilitates seamless login to vSphere’s management interfaces using integrated Windows Authentication and Windows-based smart card functionality on Windows client systems.
Despite VMware’s deprecation notice issued almost three years ago in March 2021, with the release of vCenter Server 7.0 Update 2, the vulnerabilities have not been patched. The identified security flaws, tracked as CVE-2024-22245 (with a 9.6/10 CVSSv3 base score) and CVE-2024-22250 (with a 7.8/10 score), expose the system to potential exploitation by malicious actors.
The first vulnerability (CVE-2024-22245) can be leveraged by attackers to relay Kerberos service tickets, targeting arbitrary Active Directory Service Principal Names (SPNs). VMware outlines that a malicious actor could deceive a target domain user, who has the EAP installed in their web browser, into requesting and relaying service tickets.
The second vulnerability (CVE-2024-22250) allows a malicious actor with unprivileged local access to a Windows operating system to hijack a privileged EAP session initiated by a privileged domain user on the same system.
As of now, VMware reports no evidence of these security vulnerabilities being exploited in the wild. However, the company emphasizes the importance of administrators taking immediate action to remove the deprecated EAP to mitigate potential risks in Windows domain environments.