VMware Security Updates – 21 February 2024

The addressed vulnerabilities could allow the attacker to bypass security restrictions to request and relay service tickets for arbitrary Active Directory Service Principal Names (SPNs), or hijack the user’s session cookie to hijack a privileged EAP session, or gain elevated privileges to the affected products.

Sample of the addressed vulnerabilities:

1. VMware Enhanced Authentication Plug-in Security Bypass (CVE-2024-22245):

• CVSS: 9.6
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: Required
• Consequences: Bypass Security

2. VMware Enhanced Authentication Plug-in Session Hijacking Vulnerability (CVE-2024-22250):

• CVSS: 7.8
• Attack Vector: Local
• Attack Complexity: High
• Privileges Required: Low
• User Interaction: None
• Consequences: Gain Access

Affected products:

• VMware Enhanced Authentication Plug-in (EAP).
• VMware Aria Operations (formerly vRealize Operations).
• VMware Cloud Foundation (VMware Aria Operations).