VMware Alert: Uninstall EAP Now – Critical Flaw Puts Active Directory at Risk

Cyber Security

Feb 21, 2024NewsroomActive Directory / Vulnerability

VMware is urging users to uninstall the deprecated Enhanced Authentication Plugin (EAP) following the discovery of a critical security flaw.

Tracked as CVE-2024-22245 (CVSS score: 9.6), the vulnerability has been described as an arbitrary authentication relay bug.

“A malicious actor could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs),” the company said in an advisory.

EAP, deprecated as of March 2021, is a software package that’s designed to allow direct login to vSphere’s management interfaces and tools through a web browser. It’s not included by default and is not part of vCenter Server, ESXi, or Cloud Foundation.

Also discovered in the same tool is a session hijack flaw (CVE-2024-22250, CVSS score: 7.8) that could permit a malicious actor with unprivileged local access to a Windows operating system to seize a privileged EAP session.

Ceri Coburn from Pen Test Partners has been credited with discovering and reporting the twin vulnerabilities.

It’s worth pointing out that the shortcoming only impacts users who have added EAP to Microsoft Windows systems to connect to VMware vSphere via the vSphere Client.

The Broadcom-owned company said the vulnerabilities will not be addressed, instead recommending users to remove the plugin altogether to mitigate potential threats.

“The Enhanced Authentication Plugin can be removed from client systems using the client operating system’s method of uninstalling software,” it added.

The disclosure comes as SonarSource disclosed multiple cross-site scripting (XSS) flaws (CVE-2024-21726) impacting the Joomla! content management system. It has been addressed in versions 5.0.3 and 4.4.3.

“Inadequate content filtering leads to XSS vulnerabilities in various components,” Joomla! said in its own advisory, assessing the bug as moderate in severity.

“Attackers can leverage the issue to gain remote code execution by tricking an administrator into clicking on a malicious link,” security researcher Stefan Schiller said. Additional technical specifics about the flaw have been currently withheld.

In a related development, several high- and critical-severity vulnerabilities and misconfigurations have been identified in the Apex programming language developed by Salesforce to build business applications.

At the heart of the problem is the ability to run Apex code in “without sharing” mode, which ignores a user’s permissions, thereby allowing malicious actors to read or exfiltrate data, and even provide specially crafted input to alter execution flow.

“If exploited, the vulnerabilities can lead to data leakage, data corruption, and damage to business functions in Salesforce,” Varonix security researcher Nitay Bachrach said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.