February 21, 2024 at 10:41AM
VMware has urged network administrators to remove an out-of-date plug-in for its VSphere due to two critical flaws — CVE-2024-22245 and CVE-2024-22250. These vulnerabilities allow attackers to hijack cloud computing sessions. The company has released a security advisory with instructions on removal, as the plug-in is no longer supported. VMware recommended safer alternatives for authentication methods.
Key takeaways from the meeting notes:
– VMware has issued a security advisory to urge network administrators to remove an out-of-date plug-in for its vSphere due to two critical flaws, CVE-2024-22245 and CVE-2024-22250.
– The flaws in the VMware Enhanced Authentication Plug-in (EAP) can allow threat actors with access to a Windows client system to hijack cloud computing sessions.
– CVE-2024-22245 is an arbitrary authentication relay vulnerability, while CVE-2024-22250 is a session-hijack flaw.
– The vulnerabilities were discovered by Ceri Coburn at Pen Test Partners and were responsibly disclosed on Oct. 17.
– VMware has not provided a reason for the delay in releasing a vulnerability advisory and mitigation.
– VMware has ceased patching EAP and is providing instructions for administrators to remove the vulnerable plug-in.
– Pen Test Partners criticized the decision to forgo patching, citing the continued support for the vSphere 7 product line until April 2025.
– VMware has offered safer alternatives to using EAP, including VMware vSphere 8 authentication methods such as Active Directory over LDAPS, Microsoft ADFS, Okta, and Microsoft Entra ID.
Let me know if you need further information or any other assistance.