Platform
vmware
Component
vmware-enhanced-authentication-plug-in-eap
CVE-2024-22245 describes critical arbitrary authentication relay and session hijack vulnerabilities within the deprecated VMware Enhanced Authentication Plug-in (EAP). This flaw allows a malicious actor to potentially trick a user with EAP installed into unknowingly relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs), leading to severe compromise. All versions of EAP are affected. VMware recommends disabling EAP or implementing mitigating controls.
The impact of CVE-2024-22245 is significant due to its potential to bypass authentication mechanisms and facilitate unauthorized access to Active Directory resources. An attacker could craft a malicious web page or link that, when visited by a user with EAP installed, triggers the relay of service tickets. These tickets, if successfully relayed, could grant the attacker access to sensitive data, systems, and services within the Active Directory domain. This could lead to lateral movement, data exfiltration, and complete compromise of the environment. The vulnerability's ease of exploitation, coupled with the widespread use of Active Directory, makes it a high-priority concern.
CVE-2024-22245 was publicly disclosed on February 20, 2024. While no public exploits are currently available, the vulnerability's critical severity and ease of exploitation suggest a high probability of exploitation. It is not currently listed on the CISA KEV catalog. Given the potential for widespread impact, organizations should prioritize remediation efforts.
Exploit Status
EPSS
0.94% (76% percentile)
CVSS Vector
The primary mitigation for CVE-2024-22245 is to disable the VMware Enhanced Authentication Plug-in (EAP) entirely, as it is a deprecated component. If disabling EAP is not immediately feasible, restrict access to Active Directory Service Principal Names (SPNs) to prevent unauthorized ticket relay. Implement strict network segmentation to limit the attacker’s ability to reach users with EAP installed. Regularly review and audit Active Directory permissions to identify and remediate any excessive privileges. After disabling EAP or implementing SPN restrictions, verify the change by attempting to access Active Directory resources through a browser that previously had EAP enabled; access should be denied.
Uninstall the VMware Enhanced Authentication Plug-in (EAP) plugin as it is deprecated. See the VMware advisory (VMSA-2024-0003) for more information and possible alternatives.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-22245 is a critical vulnerability in VMware Enhanced Authentication Plug-in (EAP) allowing attackers to relay authentication tickets, potentially hijacking sessions and gaining unauthorized access to Active Directory.
Yes, all versions of VMware Enhanced Authentication Plug-in (EAP) are affected by this vulnerability. If you are using EAP, you are at risk.
The recommended fix is to disable the VMware Enhanced Authentication Plug-in (EAP) entirely. Restricting SPN access is a secondary mitigation.
While no public exploits are currently available, the vulnerability's critical severity suggests a high probability of exploitation. Monitor for any signs of compromise.
Refer to the official VMware Security Advisory: https://www.vmware.com/security/advisories/VMSA-2024-0006.html
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.