VMware customers advised to ditch discontinued product due to critical vulnerabilities

The VMware logo pictured at Mobile World Congress in March 2023
(Image credit: Getty Images)

Customers are being advised to remove a discontinued VMware product owing to two critical vulnerabilities which exposes users to certain types of attack. 

VMware revealed that arbitrary authentication relay and session hijack vulnerabilities had been reported in relation to its VMware Enhanced Authentication Plug-in (EAP) tool. 

Customers typically install this tool on clients computers for administration purposes, allowing for direct login when using the VMware vSphere Client through a web browser. 

These vulnerabilities, though, could leave the system open to exploitation, allowing threat actors to gain access to the vSphere client without proper authentication.

 This poses a serious problem for admins who are still using the outdated authentication tool, the company revealed, as threat actors could access customers' VMware environments.

The vulnerabilities, known as CVE-2024-22245 and CVE-2024-22250, can be taken advantage of by threat actors in two different ways.   

The former is an arbitrary authentication relay vulnerability which could allow malicious operators to trick domain users. A target domain user who has EAP installed in their web browser could be misled into requesting and relaying service tickets. 

These service tickets would then allow a threat actor to access arbitrary Active Directory Service Principal Names.

VMware classed this vulnerability as the more severe of the two, describing it as “critical” and giving it a maximum CVSSv3 base score of 9.6.

The second vulnerability reported by VMware allows for session hijacking. 

With unprivileged access to a windows operating system, a malicious actor could take advantage of this vulnerability to hijack an EAP session initiated by a privileged domain user on the same system. 

The severity of this vulnerability has been classed as “important,” with a CVSSv3 base score of 7.8.

VMware customers can avoid disaster easily

Thankfully, the fix in both cases is simple, as VMware simply advises that users remove the EAP product from their systems. 

VMware has provided a set of materials and in-house guidance in order to show customers how to do this.

Most users may have already removed the product, however, as it’s been discontinued for quite some time now. As VMware stated in its evaluation of these new vulnerabilities, it announced the deprecation of VMware EAP back in 2021. 

Those who didn’t remove the product when it first began to be phased out will now need to act quickly before any problems arise, though VMware has said that it is not aware of any "in the wild" exploitation of the vulnerabilities.

George Fitzmaurice
Staff Writer

George Fitzmaurice is a staff writer at ITPro, ChannelPro, and CloudPro, with a particular interest in AI regulation, data legislation, and market development. After graduating from the University of Oxford with a degree in English Language and Literature, he undertook an internship at the New Statesman before starting at ITPro. Outside of the office, George is both an aspiring musician and an avid reader.