VMware Alert: Uninstall EAP now

ReportFebruary 21, 2024Editorial DepartmentActive Directory/Vulnerability

VMware EAP

VMware is urging users to uninstall the deprecated Enhanced Authentication Plug-in (EAP) after a critical security vulnerability was discovered.

Tracked as CVE-2024-22245 (CVSS score: 9.6), the vulnerability is described as an arbitrary authentication relay error.

“A malicious actor could trick a target domain user who has EAP installed in their web browser into requesting and forwarding a service ticket for an arbitrary Active Directory Service Principal Name (SPN),” the company said in an advisory.

EAP is a software package designed to allow direct login to vSphere’s management interface and tools through a web browser. It has been deprecated as of March 2021. It is not included in the presets and is not part of vCenter Server, ESXi, or Cloud Foundation.

A session hijacking flaw (CVE-2024-22250, CVSS score: 7.8) was also discovered in the same tool, which could allow a malicious actor with unprivileged local access to the Windows operating system to seize a privileged EAP session.

Internet security

Ceri Coburn of Pen Test Partners is credited with discovering and reporting both vulnerabilities.

It is worth pointing out that these flaws only affect users who have added EAP to Microsoft Windows systems to connect to VMware vSphere through the vSphere Client.

The Broadcom-owned company said the vulnerabilities will not be addressed and instead recommends users remove the plug-in entirely to mitigate potential threats.

“The Enhanced Authentication plug-in can be removed from the client system using the client operating system’s uninstaller software method,” it added.

This disclosure comes as SonarSource revealed multiple cross-site scripting (XSS) flaws (CVE-2024-21726) affecting Joomla! Content management system. It has been resolved in versions 5.0.3 and 4.4.3.

“Insufficient content filtering can lead to XSS vulnerabilities in various components,” Joomla! said in its own advisory, assessing the severity of the bug as medium.

Security researcher Stefan Schiller said: “An attacker can use this issue to trick administrators into clicking on a malicious link, thereby obtaining remote code execution.” No other technical details about the flaw have been disclosed.

Internet security

In related development, multiple high-severity and critical-severity vulnerabilities and misconfigurations were discovered in the Apex programming language developed by Salesforce for building business applications.

At the heart of the problem is the ability to run Apex code in “share nothing” mode, which ignores user permissions, allowing malicious actors to read or steal data or even provide specially crafted input to alter the execution flow.

“If exploited, these vulnerabilities could lead to data exfiltration, data corruption and impairment of business functionality in Salesforce,” Varonix security researcher Nitay Bachrach said.

Did you find this article interesting?follow us Twitter and LinkedIn to read more exclusive content from us.



Source link



from Tech Empire Solutions https://techempiresolutions.com/vmware-alert-uninstall-eap-now/
via https://techempiresolutions.com/

from Tech Empire Solutions https://techempiresolutions.blogspot.com/2024/02/vmware-alert-uninstall-eap-now.html
via https://techempiresolutions.com/

Comments

Post a Comment

Popular posts from this blog

Perfecta grill uses AI to help cook steaks in 90 seconds

Image
CES is increasingly becoming a barbecue show, and companies are constantly looking for ways to bring more technology to your deck or patio. One company adding artificial intelligence technology to its spice racks is Seergerills, a British startup made up of engineers and product developers. Its flagship model, the Perfecta, can cook a one-inch-thick rib-eye steak in 90 seconds. Overall, the company says the grill looks more like a see-through countertop oven and cooks food about 10 times faster than traditional cooking methods. Inside, dual vertical infrared burners cook both sides simultaneously, which not only speeds up the process but also eliminates the need for flipping. Seergerills says the burner has a maximum temperature of 1,652 degrees Fahrenheit, and the unit even ensures crisp edges thanks to 360-degree heating. The built-in artificial intelligence chef calculates the appropriate cooking time and temperature based on the food, taking into account the desired degree of done
Read more

John Wick heads to Vegas to visit interactive attractions

Image
image: Lionsgate If you’ve ever wanted to fully immerse yourself in John Wick , Lionsgate has got you covered. Later this year, action series is becoming “immersive and interactive” tourist attractions In Las Vegas. Grace Byers on horror and comedy in ‘The Dark’ According to the press release, John Wick Experience Produced in collaboration with series director Chad Stahelski and his production company 87Eleven. The 12,000-square-foot exhibit at the city’s AREA15 campus lets visitors “experience high-stakes adventures and visit themed bars and retail stores open to the public.” Guests will be given specific tasks involving characters and images from the film. They’ll also rub shoulders with Continental employees, crime bosses, and other assassins who (presumably) don’t come into contact with Wick’s bad side at any point in the movie, all in an effort to gain access to private Continental areas and learn about the interesting secret. Jenefer Brown, exec
Read more

Ford prepares for next war, Waymo recalls its self-driving car software, another self-driving startup lays off employees

Image
TechCrunch Mobility is a weekly newsletter dedicated to all things transportation. Sign up here – just click TechCrunch Mobility – and get the newsletter in your inbox every weekend. Subscription is free. welcome back TechCrunch Mobile — A central hub for news and insights about the future of transportation.This week’s news includes BMW Security breach exposes sensitive information, federal agencies fight back against Tesla super bowl ad and a new federal investigation Fisker . But first, I want to talk about my recent visit to the law, where I met some people Ford Executives understand their priorities for 2024 and beyond. It can be said with certainty Chinese electric vehicle manufacturer and Tesla is the most important; in the view of Ford executives, low-cost electric vehicles and cutting-edge software are the best ways to stop these threats. The company’s recently revealed Skunk Works project for electric vehicles is tasked with this task. Ford Chief Financial Officer J
Read more