VMware strongly advises users to remove the obsolete Enhanced Authentication Plugin (EAP) immediately after discovering a critical security vulnerability.

This vulnerability, officially labeled CVE-2024-22245 with a CVSS score of 9.6, is described as an arbitrary authentication relay flaw.

“According to an advisory issued by the company, a malicious actor could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs).”

Since March 2021, EAP has been deprecated. This software program facilitates web browser-based direct access to the management interfaces and tools of vSphere. It’s important to note that EAP is not integrated into vCenter Server, ESXi, or Cloud Foundation and is not included by default.

You may be interested in: Crafting A Robust Incident Response Plan

Additionally, an identification of a session usurpation vulnerability (CVE-2024-22250, CVSS score: 7.8) has been reported. This vulnerability could empower a malicious actor with unprivileged local access to a Windows operating system to take control of a privileged EAP session.

Ceri Coburn of Pen Test Partners is credited with discovering and reporting the twin vulnerabilities on October 17, 2023. The reason for VMware’s delay in advising clients to uninstall the plugin for several months remains unknown.

It is important to highlight that the vulnerabilities exclusively impact users who have configured EAP on Microsoft Windows systems to establish a connection to VMware vSphere through the vSphere Client.

Broadcom, the company that owns it, has announced that the vulnerabilities will not be patched. Users are advised to remove the plugin entirely to mitigate potential threats.

According to a statement by the company, “The Enhanced Authentication Plugin can be removed from client systems using the client operating system’s method of uninstalling software.”

SonarSource recently disclosed a number of cross-site scripting (XSS) vulnerabilities (CVE-2024-21726) affecting the Joomla! content management system. These vulnerabilities have been addressed in versions 4.4.3 and 5.0.3.

Joomla! stated in its own advisory, “Inadequate content filtering results in XSS vulnerabilities in multiple components,” categorizing the flaw with a moderate severity level.

“By tricking an administrator into clicking on a malicious link, attackers can exploit the vulnerability and execute code remotely,” explained security researcher Stefan Schiller. At present, detailed technical information regarding the vulnerability is being withheld.

In addition, a series of misconfigurations and vulnerabilities with high to critical severity have been identified in the Apex programming language, used by Salesforce to construct business applications.

At the heart of the issue lies the ability to execute Apex code in “without sharing” mode, bypassing user-granted permissions. This disregard for permissions allows malicious actors to manipulate execution flow through crafted input or data reading.

“According to Nitay Bachrach, a security researcher at Varonix, the vulnerabilities, if exploited, could result in data corruption, leakage, and damage to Salesforce’s business functions.”

SOURCE