VMware issued a security advisory Tuesday warning users to uninstall the VMware Enhanced Authentication Plug-in (EAP) due to critical and high severity vulnerabilities.
The VMware EAP is a deprecated browser plugin that enables seamless single sign-on (SSO) to vSphere’s management interface from client workstations. It is an optional feature that stopped receiving support with the release of VMware vCenter Server 7.0.0u2 in March 2021.
A critical vulnerability in the VMWare EAP, tracked as CVE-2024-22245, could allow a remote attacker to perform an arbitrary authentication relay attack by tricking a user with the plugin installed into visiting a malicious website, according to Ceri Coburn of Pen Test Partners, who discovered the flaws.
Another, high severity vulnerability tracked as CVE-2024-22250 could allow a local user to hijack vCenter sessions of other users with access to the same system. This is because the VMware EAP log file containing session IDs is stored in the ProgramData folder for any local user to see, Coburn explained in a blog post published Wednesday.
VMware received the initial vulnerability report from Coburn on Oct. 17, 2023, and confirmed the problem on Dec. 1 after weeks of back-and-forth communication, according to the post. The advisory was published by VMware on Feb. 20, 2024.
VMware EAP enables attackers to request Kerberos tickets
The arbitrary authentication relay bug CVE-2024-22245, which has a CVSS score of 9.6, allows attackers to communicate with the VMware EAP using WebSocket commands on a malicious website, and request arbitrary Kerberos tickets on behalf of a victim, Coburn explained.
These tickets can be requested for any Active Directory Service Principal Names (SPNs), allowing the attacker to access any service within the victim’s Active Directory network.
When a victim visits a malicious website (for example, by clicking a link in a phishing email) and a ticket request is made, the browser will notify the user that the website is attempting to communicate with the VMware EAP. The ticket is relayed if the user clicks the popup option to allow access.
The session hijack bug CVE-2024-22250, which has a CVSS score of 7.8, requires the attacker to have local access to the target system. In this case, the attacker can utilize a script to automatically scan the VMware log file in the ProgramData folder for session IDs and wait for a session to be initiated.
Once a new session ID is obtained, the attacker can request an arbitrary Kerberos service ticket using the same WebSocket commands as in the first case, Coburn wrote.
Neither vulnerability is believed to have been exploited in the wild, VMware said in a FAQ regarding its advisory.
No patch available for VMWare plugin vulnerabilities, uninstall required
VMware provided instructions for users to uninstall the VMware EAP, which requires the removal of two components – the in-browser plugin itself and the Windows service “VMware Plug-in Service.”
Users can uninstall the vulnerable features from the Windows Control Panel, in the original program installers, or by running PowerShell commands. VMware also provides instructions for disabling the Windows service if it’s not possible to uninstall, and for firewalling traffic from the plugin if no other options are available.
A link to install VMware EAP is still present on the vSphere Client login page but is planned to be removed in a future update, according to the VMware FAQ.
Despite being deprecated in 2021, the VMware EAP remains the only option for SSO authentication for vSphere 7, which will remain supported until April 2025.
The latest platform version, vSphere 8, offers additional authentication methods, including via the Lightweight Directory Access Protocol over SSL (LDAPS), Microsoft Active Directory Federation Services (ADFS), Okta and Microsoft Entra ID (formerly Azure AD), according to VMware.
Users do not need to patch VMware vCenter Server, VMware ESXi or VMware Cloud Foundation to protect against CVE-2024-22245 or CVE-2024-22250.
Penetration tester criticizes VMware’s disclosure timeline
In his blog post, Coburn described the disclosure process with VMware as “somewhat cumbersome” and expressed frustration due to the length of time between his initial report, VMware’s confirmation of the problem, and the publication of the security advisory.
“There was a circa six weeks delay from the time of disclosure before VMware confirmed that there was a problem even though the initial disclosure emails contained simple POC’s for both issues. In some cases, a basic understanding of risks around requesting arbitrary SPN’s seem to be missing altogether,” Coburn wrote.
He continued, “It’s also frustrating that VMware took 126 days to essentially publish a no fix disclosure. This could have been disclosed a lot sooner.”
Coburn also said he was “somewhat disappointed” with the lack of a patch for VMware EAP, as users of vSphere 7 will either lose the ability to utilize SSO-based authentication or be forced to upgrade to vSphere 8.
SC Media reached out to Broadcom, which owns VMware, with questions about the disclosure timeline and decision not to patch, and did not receive a response.
Earlier this year, another VMware vulnerability, tracked as CVE-2023-34048, was confirmed to be have under active exploitation by the Chinese state-sponsored cyberespionage group UNC3886 since 2021.
The threat actor used the critical out-of-bounds vulnerability to obtain vCenter system privileges, enumerate ESXi hosts and virtual machines and deploy VIRTUALPIE and VIRTUALPITA malware, according to Mandiant.
Last week, Trellix researchers also revealed that a new ransomware tool called “MrAgent” was being used by the ransomware-as-a-service (RaaS) operator RansomHouse Group to target VMware ESXi hypervisors.