CVE-2024-22245 presents a critical vulnerability affecting VMware’s Enhanced Authentication Plugin (EAP), which is now deprecated. This vulnerability poses a significant risk by allowing a malicious attacker to deceive a domain user with EAP installed in their web browser into requesting and relaying Kerberos service tickets for arbitrary Active Directory Service Principal Names (SPNs). This could lead to a privileged session hijack within the EAP environment.
It is crucial to note that VMware announced the discontinuation of EAP nearly three years ago, in March 2021, with the release of vCenter Server 7.0 Update 2. As a security measure, VMware urges administrators to remove the EAP plugin from their systems and adopt alternative integrated authentication methods to ensure protection against potential vulnerability exploits.
Critical Vulnerabilities CVE-2024-22245 and CVE-2024-22250 Pose Ongoing Threats in Deprecated EAP
The deprecation of EAP (Enhanced Authentication Protocol) with the introduction of vCenter Server 7.0 Update 2 in March 2021 aimed at bolstering security in Windows domain environments. However, its retirement hasn’t marked the end of concerns, as two unpatched vulnerabilities, CVE-2024-22245 and CVE-2024-22250, continue to pose significant security risks.
CVE-2024-22245: Authentication Relay Exposure With a CVSSv3 base score of 9.6, CVE-2024-22245 exposes systems to authentication relay attacks. In this scenario, attackers can manipulate domain users into relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs). This deceptive method allows unauthorized access to privileged sessions within the EAP, creating potential exploits for malicious activities.
CVE-2024-22250: Session Hijack Vulnerability Marked at a CVSSv3 score of 7.8, CVE-2024-22250 presents a session hijack risk. Exploitable with local access to a Windows system, this vulnerability enables an attacker to hijack privileged sessions within the EAP. With this access, malicious actors can compromise the integrity and confidentiality of sensitive information.
The persistence of these vulnerabilities emphasizes the critical need for remediation measures, even in deprecated systems. Organizations are strongly advised to stay informed about security updates and follow best practices to mitigate these risks effectively. Regular monitoring and timely patching remain imperative to ensure a robust security posture.
No Patch Available for CVE-2024-22245 in Deprecated VMware Plugin (EAP)
Unfortunately, there is no available patch for CVE-2024-22245, as it targets a deprecated VMware plugin.
The recommended solution is to uninstall the EAP plugin from affected systems and transition to alternative authentication methods.
VMware has provided a detailed guide on how to perform this removal for administrators. For additional information and specific steps, you can refer to VMware’s security advisory.
Uninstalling the EAP Plugin – Step-by-Step Guide
To uninstall the EAP plugin, you can follow these steps:
- Open the Control Panel on your system.
- Search for the installed application.
- Locate “VMware Enhanced Authentication Plug-in 6.7.0” and “VMware Plug-in Service.”
- Right-click on each application and select Uninstall.
- Restart your computer and verify complete removal.
Additionally, you have the option to use PowerShell for remote detection and removal of the EAP plugin. This method can be especially useful for managing multiple systems.
These measures are crucial to ensuring the security of your environment in light of the CVE-2024-22245 vulnerability.
Checking for CVE-2024-22245 Vulnerability – Step-by-Step Guide
To determine if your system is affected by CVE-2024-22245, you can use one of the following options:
- Microsoft Security Update Guide:
- Check the Microsoft Security Update Guide, which provides a comprehensive list of affected products and versions for this vulnerability, along with available security updates.
- Check the Microsoft Security Update Guide, which provides a comprehensive list of affected products and versions for this vulnerability, along with available security updates.
- CVE-2024-20666 Detection Tool:
- Utilize the CVE-2024-20666 Detection Tool, designed to identify whether the EAP plugin is installed on the system and vulnerable to CVE-2024-20666 (a vulnerability related to CVE-2024-22245).
- Utilize the CVE-2024-20666 Detection Tool, designed to identify whether the EAP plugin is installed on the system and vulnerable to CVE-2024-20666 (a vulnerability related to CVE-2024-22245).
- PowerShell Command:
- Run the PowerShell command:vbnetCopy code
Get-WmiObject -Namespace root\cimv2 -Class Win32_Product | Where-Object {$_.Name -like "*VMware Enhanced Authentication Plug-in*"}This command will display whether the EAP plugin is installed and its version.
- Run the PowerShell command:vbnetCopy code
If the EAP plugin is detected, it is strongly recommended to uninstall it promptly and switch to other integrated authentication methods provided by VMware.
