VMware warns of vulnerable and outdated plugins

VMware calls on administrators to remove an authentication plugin as soon as possible. The plugin has not been supported for three years.

Virtualization specialist VMware has reported two vulnerabilities in vCenter Server, CVE-2024-22245 and CVE-2024-22250. The vulnerabilities are due to the same plugin, namely Enhanced Authentication Plugin (EAP) To log in to the administrative console. VMware itself stopped supporting the plugin three years ago, but that doesn't guarantee it's no longer in use.

Since it was necessary to install the add-on manually, it also had to be removed manually. VMware believes the vulnerabilities will have a relatively limited scope, specifically because the plug-in is not integrated into vCenter Server by default. That doesn't mean there's no reason to be wary: An attacker could try to trick an employee who added the plug-in to their web browser into passing service tickets and hijacking the user's session.

Remove the plugin

According to VMware, there is currently no evidence that the vulnerabilities are being actively exploited, but it does not want to wait for that to happen. The company recommends updating vCenter Server to the latest version to install patches and also recommends installing additional software To delete. For this you need both plugin (VMware Enhanced Authentication Plugin 6.7.0) as a supporting Windows service (VMware Plug-in Service).

This can be done by running the PowerShell scripts below, or via the control panel of the endpoint on which the plugin is installed.

(Get-WmiObject -Class Win32_Product | Where-Object{$_.Name.StartsWith(“VMware Enhanced Authentication Plug-in”)}).Uninstall()

(Get-WmiObject -Class Win32_Product | Where-Object{$_.Name.StartsWith(“VMware Plug-in Service”)}).Uninstall()

The vulnerability reported by VMware last month may affect more users. A flaw in Aria Automation, which is used to run infrastructure in VMware Cloud Foundation, if successfully exploited, gives attackers unauthorized remote access to workflows. Read more information on how to fix this error here.