February 20, 2024 at 04:05PM
VMware warns administrators to remove a deprecated authentication plugin due to security vulnerabilities, enabling attackers to hijack privileged sessions and relay Kerberos tickets. To address the flaws, uninstall the plugin and stop its associated Windows service using PowerShell commands. The company stated there is no evidence of exploitation, and advises using other authentication methods to enhance security.
Key takeaways from the meeting notes:
1. VMware urged administrators to remove a discontinued authentication plugin due to security vulnerabilities. These vulnerabilities can lead to relay attacks and session hijacking in Windows domain environments.
2. The vulnerable VMware Enhanced Authentication Plug-in (EAP) was deprecated nearly three years ago, and two security flaws, CVE-2024-22245 and CVE-2024-22250, were recently patched.
3. Malicious actors could exploit these vulnerabilities to trick domain users into relaying service tickets or hijack privileged EAP sessions.
4. To secure vulnerable systems, administrators need to remove both the in-browser plugin/client and the associated Windows service using specific PowerShell commands.
5. The deprecated VMware EAP is not installed by default but needs to be manually installed on Windows workstations for administration tasks. Administrators are advised to use alternative authentication methods provided by VMware.
6. Finally, VMware also addressed a critical vCenter Server remote code execution vulnerability (CVE-2023-34048), which had been actively exploited by a Chinese cyber espionage group.
Administrators are strongly urged to take action to remove the deprecated VMware EAP and address the security flaws to safeguard their systems.