VMware has urged administrators to remove the outdated VMware Enhanced Authentication Plug-in (EAP) authentication plugin. This is because EAP in Windows domain environments is vulnerable to authentication relay attacks and session hijacking due to two unpatched vulnerabilities.
EAP provides easy access to vSphere management interfaces through integrated Windows Authentication functionality and Windows-based smart card functionality. VMware announced the end of EAP support almost three years ago, in March 2021, with the release of vCenter Server 7.0 Update 2.
As the company now warns, vulnerabilities
“An attacker can deceive a targeted domain user with EAP installed in the browser to request and transmit service tickets for arbitrary Active Directory Service Principal Names (SPN),” explains VMware. “Also, an attacker with unprivileged local access to the Windows operating system can intercept a privileged EAP session initiated by a privileged domain user on the same system.»
It should be noted that there is good news: the outdated VMware EAP is not installed by default and is not part of VMware vCenter Server, ESXi, or Cloud Foundation. However, administrators are often forced to install EAP manually.
To fix CVE-2024-22245 and CVE-2024-22250, you will need to remove both the browser plugin/client (VMware Enhanced Authentication Plug-in 6.7.0) and the Windows service (VMware Plug-in Service). To remove or disable them, you need to execute a series of PowerShell commands, as described in these instructions.
As an alternative to the vulnerable and outdated plugin, VMware recommends using other authentication methods, including Active Directory via LDAPS, Microsoft Active Directory Federation Services (ADFS), Okta, and Microsoft Entra ID (formerly Azure AD).