Security Alert: VMware vSphere Plug-in Exposes Critical Vulnerability Allowing Session Hijacking

  • Home » Security Alert: VMware vSphere Plug-in Exposes Critical Vulnerability Allowing Session Hijacking
VMware
Latest News Latest Threats Security

Security Alert: VMware vSphere Plug-in Exposes Critical Vulnerability Allowing Session Hijacking

On Tuesday, VMware issued a security advisory urging users to uninstall the VMware Enhanced Authentication Plug-in (EAP) promptly, citing critical and high severity vulnerabilities.

Vmware-Vsphere-1 Security Alert: VMware vSphere Plug-in Exposes Critical Vulnerability Allowing Session Hijacking

VMware vSphere, a widely employed virtualization platform facilitating the development of integrated cloud computing infrastructures, faces a pressing security concern with the identification of a critical vulnerability in the VMware Enhanced Authentication Plug-in (EAP), necessitating prompt attention from network administrators.

Ceri Coburn of Pen Test Partners, the discoverer of the vulnerabilities, has revealed that a critical flaw in the VMware EAP, designated as CVE-2024-22245, poses a significant risk. This vulnerability enables remote attackers to execute arbitrary authentication relay attacks by deceiving users into accessing malicious websites while having the plugin installed.

Another, high severity vulnerability tracked as CVE-2024-22250 could allow a local user to hijack vCenter sessions of other users with access to the same system. This is because the VMware EAP log file containing session IDs is stored in the Program Data folder for any local user to see, Coburn explained in a blog post published Wednesday.


The flaws in the VMware Enhanced Authentication Plug-in (EAP) operate as follows:

The arbitrary authentication relay bug CVE-2024-22245, which has a CVSS score of 9.6, allows attackers to communicate with the VMware EAP using WebSocket commands on a malicious website, and request arbitrary Kerberos tickets on behalf of a victim, Coburn explained.

These tickets can be requested for any Active Directory Service Principal Names (SPNs), allowing the attacker to access any service within the victim’s Active Directory network.

When a victim visits a malicious website (for example, by clicking a link in a phishing email) and a ticket request is made, the browser will notify the user that the website is attempting to communicate with the VMware EAP. The ticket is relayed if the user clicks the popup option to allow access.

The session hijack bug CVE-2024-22250, which has a CVSS score of 7.8, requires the attacker to have local access to the target system. In this case, the attacker can utilize a script to automatically scan the VMware log file in the ProgramData folder for session IDs and wait for a session to be initiated.

Once a new session ID is obtained, the attacker can request an arbitrary Kerberos service ticket using the same WebSocket commands as in the first case, Coburn wrote.  

Neither vulnerability is believed to have been exploited in the wild, VMware said in a FAQ regarding its advisory.

Remove Vulnerable Plug-in Now!!!

VMware has responded not by patching EAP — which was discontinued by VMware in March 2021 with the launch of vCenter Server 7.0 Update 2 — but it’s giving administrators step-by-step instructions in an article on its website that explains how it can be removed.

So far, there is no evidence that the flaws have been exploited by threat actors, according to VMware. However, historically, threat actors pounce on VMware flaws because of the opportunity they present to compromise a cloud environment and thus provide access to myriad enterprise resources and data. For instance, despite being patched, attackers pummeled a previously disclosed VMware ESXi hypervisor flaw that was exploitable in many ways for years. Thus, mitigating risk by removing EAP as soon as possible is crucial, VMware and security researchers alike said.

Pen Test deemed the move to forgo patching “unfortunate,” as the vSphere 7 product line that uses the plug-in remains supported until April 2025. But in some good news for VMware customers, systems using vSphere will not have EAP installed by default, nor is the plug-in included in VMware’s vCenter Server, ESXi, or Cloud Foundation products. Administrators have to manually install EAP on Windows workstations used for administrative tasks to enable direct login when using the VMware vSphere Client via a Web browser, according to Vulnera.

VMware has instructed clients using EAP to remove both entities that comprise the plug-in (the in-browser plug-in/client “VMware Enhanced Authentication Plug-in 6.7.0” and the Windows service “VMware Plug-in Service”). If this is not possible, administrators also can disable the Windows service.

Mitigation Steps:

  • Urgent Action: Network administrators should remove the outdated EAP plug-in from their vSphere installations.
  • Responsible Disclosure: The vulnerabilities were discovered and responsibly disclosed by Ceri Coburn at Pen Test Partners.
  • VMware’s Response: VMware has evaluated the severity of these issues and released a security advisory.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.

Share this content:

Related Posts

Post Comment