Plateforme
vmware
Composant
vmware-enhanced-authentication-plug-in-eap
CVE-2024-22245 describes critical arbitrary authentication relay and session hijack vulnerabilities within the deprecated VMware Enhanced Authentication Plug-in (EAP). This flaw allows a malicious actor to potentially trick a user with EAP installed into unknowingly relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs), leading to severe compromise. All versions of EAP are affected. VMware recommends disabling EAP or implementing mitigating controls.
The impact of CVE-2024-22245 is significant due to its potential to bypass authentication mechanisms and facilitate unauthorized access to Active Directory resources. An attacker could craft a malicious web page or link that, when visited by a user with EAP installed, triggers the relay of service tickets. These tickets, if successfully relayed, could grant the attacker access to sensitive data, systems, and services within the Active Directory domain. This could lead to lateral movement, data exfiltration, and complete compromise of the environment. The vulnerability's ease of exploitation, coupled with the widespread use of Active Directory, makes it a high-priority concern.
CVE-2024-22245 was publicly disclosed on February 20, 2024. While no public exploits are currently available, the vulnerability's critical severity and ease of exploitation suggest a high probability of exploitation. It is not currently listed on the CISA KEV catalog. Given the potential for widespread impact, organizations should prioritize remediation efforts.
Organizations heavily reliant on Active Directory for authentication and authorization are at significant risk. Environments where users routinely browse untrusted websites or open suspicious links are particularly vulnerable. Shared hosting environments where multiple users share the same infrastructure could also be affected, as the vulnerability resides within the user’s web browser.
• windows / supply-chain:
Get-Process -Name 'EAP'• linux / server: Check for any VMware-related processes or services that might be related to EAP. • wordpress / composer / npm: N/A - This vulnerability is not related to web application components. • database (mysql, redis, mongodb, postgresql): N/A - This vulnerability is not related to database components. • generic web: Check for any VMware-related plugins or extensions in web browsers.
disclosure
Statut de l'Exploit
EPSS
0.94% (percentile 76%)
Vecteur CVSS
The primary mitigation for CVE-2024-22245 is to disable the VMware Enhanced Authentication Plug-in (EAP) entirely, as it is a deprecated component. If disabling EAP is not immediately feasible, restrict access to Active Directory Service Principal Names (SPNs) to prevent unauthorized ticket relay. Implement strict network segmentation to limit the attacker’s ability to reach users with EAP installed. Regularly review and audit Active Directory permissions to identify and remediate any excessive privileges. After disabling EAP or implementing SPN restrictions, verify the change by attempting to access Active Directory resources through a browser that previously had EAP enabled; access should be denied.
Désinstallez le plugin VMware Enhanced Authentication Plug-in (EAP) car il est obsolète. Consultez l'avis VMware (VMSA-2024-0003) pour plus d'informations et d'éventuelles alternatives.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-22245 is a critical vulnerability in VMware Enhanced Authentication Plug-in (EAP) allowing attackers to relay authentication tickets, potentially hijacking sessions and gaining unauthorized access to Active Directory.
Yes, all versions of VMware Enhanced Authentication Plug-in (EAP) are affected by this vulnerability. If you are using EAP, you are at risk.
The recommended fix is to disable the VMware Enhanced Authentication Plug-in (EAP) entirely. Restricting SPN access is a secondary mitigation.
While no public exploits are currently available, the vulnerability's critical severity suggests a high probability of exploitation. Monitor for any signs of compromise.
Refer to the official VMware Security Advisory: https://www.vmware.com/security/advisories/VMSA-2024-0006.html
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.