VMware Urges Immediate Action Over Critical EAP Vulnerabilities
VMware has issued an urgent advisory urging users to remove the deprecated Enhanced Authentication Plugin (EAP) due to the emergence of a severe security vulnerability. Classified as CVE-2024-22245, this flaw has been assigned a CVSS score of 9.6 and has been identified as an arbitrary authentication relay vulnerability.
According to VMware, a malicious actor could exploit this vulnerability by deceiving a targeted user with the EAP installed in their web browser into requesting and forwarding service tickets for arbitrary Active Directory Service Principal Names (SPNs). This presents a significant security risk, particularly for organizations that utilize EAP to facilitate direct login to vSphere’s management interfaces through web browsers.
First deprecated in March 2021, EAP is not a standard component of vCenter Server, ESXi, or Cloud Foundation, meaning that its installation is an optional action for users seeking to connect to VMware vSphere through the vSphere Client on Microsoft Windows systems. The recent discovery of a separate session hijack vulnerability, categorized as CVE-2024-22250 with a CVSS score of 7.8, further complicates matters by enabling local, unprivileged users to hijack a privileged EAP session if they gain access to a Windows operating system.
The vulnerabilities were brought to light by Ceri Coburn from Pen Test Partners on October 17, 2023. VMware has not clarified why it delayed its recommendation for users to uninstall the plugin, raising concerns within the cybersecurity community. The ramifications of these vulnerabilities are primarily restricted to those who have integrated EAP into their systems.
In light of these security issues, VMware has confirmed that it will not release any patches to address the vulnerabilities. Instead, the company recommends that users remove the plugin entirely to mitigate potential risks, stating that the uninstallation process can be done using the standard software removal methods available on the client’s operating system.
In a related cybersecurity alert, multiple cross-site scripting vulnerabilities (CVE-2024-21726) have been identified within the Joomla! content management system. Joomla reported that inadequate content filtering leads to these vulnerabilities, which are assessed as moderate in severity. Attackers can exploit these flaws to gain remote code execution by compelling an administrator to click on a malicious link.
Moreover, vulnerabilities have also been discovered in Salesforce’s Apex programming language, enabling unauthorized code execution by allowing misuse of the “without sharing” mode, which disregards user permissions. This could allow malicious actors to access sensitive data, instigate data leaks, and disrupt business operations.
For organizations leveraging VMware products or Joomla!, immediate action is paramount to safeguard against these emerging threats. As cybersecurity incidents continue to evolve, adherence to best practices and diligent monitoring of vulnerabilities must remain a priority for business owners committed to protecting their digital assets. Understanding the relevant tactics from the MITRE ATT&CK framework, including privilege escalation and initial access, can aid in bolstering defenses against such vulnerabilities.
As the landscape of cybersecurity threats continuously shifts, organizations must remain vigilant and proactive in their efforts to address vulnerabilities and enhance their security postures.
