CVE-2024-22245
📋 TL;DR
This vulnerability in VMware's deprecated Enhanced Authentication Plug-in (EAP) allows attackers to trick users into relaying authentication requests, enabling them to obtain service tickets for arbitrary Active Directory services. This could lead to session hijacking and unauthorized access to domain resources. Organizations using the deprecated EAP plugin in their web browsers are affected.
💻 Affected Systems
- VMware Enhanced Authentication Plug-in (EAP)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete domain compromise through Kerberos ticket relay, allowing attackers to impersonate any domain user and access sensitive systems and data.
Likely Case
Unauthorized access to specific services and data within the domain through session hijacking and service impersonation.
If Mitigated
Limited impact if EAP is already removed or disabled, with only legacy systems potentially affected.
🎯 Exploit Status
Requires social engineering to trick users into initiating authentication requests, but the relay mechanism itself is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2024-0003.html
Restart Required: No
Instructions:
1. Remove the VMware Enhanced Authentication Plug-in from all systems. 2. Follow VMware's guidance to disable and uninstall the deprecated plugin.
🔧 Temporary Workarounds
Disable EAP in Browser
allDisable the VMware Enhanced Authentication Plug-in in all web browsers
Browser-specific: Disable plugin/extensions for VMware EAP
Uninstall EAP Plugin
allCompletely remove the VMware Enhanced Authentication Plug-in from the system
Windows: Control Panel > Programs > Uninstall VMware Enhanced Authentication Plug-in
Linux/macOS: Remove EAP package using system package manager
🧯 If You Can't Patch
- Implement network segmentation to limit EAP-enabled systems' access to critical resources
- Enable Kerberos armoring and other Kerberos protections to make relay attacks more difficult
🔍 How to Verify
Check if Vulnerable:
Check browser extensions/plugins for 'VMware Enhanced Authentication Plug-in' or check installed programs listCheck Version:
Browser-specific: Check extensions/plugins list for VMware EAPVerify Fix Applied:
Confirm EAP plugin is not present in browser extensions and not installed on the system📡 Detection & Monitoring
Log Indicators:
- Unusual Kerberos service ticket requests from unexpected sources
- Multiple failed authentication attempts followed by successful authentication from different IP
Network Indicators:
- Unusual Kerberos traffic patterns
- Authentication requests originating from unexpected network segments
SIEM Query:
source="kerberos" AND (event_type="TGS_REQ" OR event_type="AS_REQ") | stats count by src_ip, user | where count > threshold