VMware Notice: Remove EAP Immediately as a Serious Vulnerability Endangers Active Directory

VMware has found a serious security vulnerability and is advising customers to remove the outdated Enhanced Authentication Plugin (EAP).

The vulnerability, identified as CVE-2024-22245 (with a CVSS score of 9.6), is characterized as an arbitrary authentication relay problem.

"A malicious actor could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs)," the business stated in an advisory.

EAP is a software package that was deprecated in March 2021 and was intended to enable web browser-based direct access to vSphere's administrative interfaces and tools. It's not part of Cloud Foundation, ESXi, or vCenter Server, and it's not included by default.

A session hijack vulnerability (CVE-2024-22250, CVSS score: 7.8) that potentially allows a hostile actor with unprivileged local access to a Windows operating system to take control of a privileged EAP session was also found in the same program.

The twin vulnerabilities were reportedly found and reported by Pen Test Partners' Ceri Coburn.
It's important to note that this limitation only affects users connecting to VMware vSphere through the vSphere Client who have added EAP to Microsoft Windows PCs.

The business, which is owned by Broadcom, stated that it would not fix the vulnerabilities and advised users to uninstall the plugin completely to lessen any possible risks.

"The Enhanced Authentication Plugin can be removed from client systems using the client operating system's method of uninstalling software," it stated.

The revelation coincides with the discovery by SonarSource of many cross-site scripting (XSS) vulnerabilities affecting the Joomla! Content management system (CVE-2024-21726). It has been fixed in 4.4.3 and 5.0.3 versions.

Joomla! Stated in its advisory that "inadequate content filtering leads to XSS vulnerabilities in various components," classifying the bug's severity as moderate.

Security researcher Stefan Schiller stated that by deceiving an administrator into clicking on a malicious link, attackers can use the vulnerability to obtain remote code execution. At this time, more technical details regarding the vulnerability are not being disclosed.

In related news, Salesforce's Apex programming language, which is used to create business apps, has several high- and critical-severity vulnerabilities and misconfigurations.

The ability to run Apex code in "without sharing" mode, which disregarded user rights and allowed malicious actors to read or exfiltrate data or even change the execution flow with specially prepared input, is the root of the issue.

Nitay Bachrach, a security researcher at Varonix, stated that "if exploited, the vulnerabilities can lead to data leakage, data corruption, and damage to business functions in Salesforce."