OPERATIONAL DEFECT DATABASE
...
...
This article explains how to uninstall the Enhanced Authentication Plugin (EAP) to address CVE-2024-22245 and CVE-2024-22250. Details on these vulnerabilities are published in VMSA-2024-0003 .
The EAP is composed of two (2) entities: In-browser plugin/client, "VMware Enhanced Authentication Plug-in 6.7.0"Windows service, "VMware Plug-in Service" Broadcom recommends removal of both of these applications from endpoint systems to mitigate the vulnerabilities.Domain administrators can use PowerShell to detect if the application is installed on a local system:PowerShell - "VMware Enhanced Authentication Plugin" if ((Get-WmiObject -Class Win32_Product | Where-Object{$_.Name.StartsWith("VMware Enhanced Authentication Plug-in")}) -eq $null) { Write-Host "Not Vulnerable. VMware Enhanced Authentication Plug-in not installed." -ForegroundColor Green } else { Write-Host "Vulnerable. VMware Enhanced Authentication Plug-in was found to be installed on the system." -ForegroundColor Yellow } PowerShell - "VMware Plug-in Service" if ((Get-WmiObject -Class Win32_Product | Where-Object{$_.Name.StartsWith("VMware Plug-in Service")}) -eq $null) { Write-Host "Not Vulnerable. VMware Plug-in Service not installed." -ForegroundColor Green } else { Write-Host "Vulnerable. VMware Plug-in Service was found to be installed on the system." -ForegroundColor Yellow } Note: PowerShell has remote execute capabilities to allow domain administrators to invoke the a given command on remote system or a set of systems. To learn more, visit Microsoft Learn - Microsoft.PowerShell.Core Invoke-Command VMware Enhanced Authentication Plug-in 6.7.0 Default install path: C:\Program Files (x86)\VMware\Enhanced Authentication Plug-in 6.7\ To remove the in-browser plugin/client, perform one of the following options on the endpoint device:Option 1 - From Control Panel Open Control PanelBrowse for the installed applicationLocate "VMware Enhanced Authentication Plug-in 6.7.0"Right-click the application and uninstall Option 2 - From the Installer Run the original installer for "VMware Enhanced Authentication Plug-in 6.7.0"In the installer wizard, select "uninstall" Option 3 - PowerShell Run the following Powershell command (Get-WmiObject -Class Win32_Product | Where-Object{$_.Name.StartsWith("VMware Enhanced Authentication Plug-in")}).Uninstall() VMware Plug-in Service Default install path: C:\Program Files (x86)\VMware\Plug-in Service\ This software is a Windows service: Service: CipMsgProxyServiceDisplay Name: VMware Cip Message Proxy ServiceListening: TCP vmware-plugin:8094 To remove the Windows service, perform one of the following options on the endpoint device: Option 1 - From Control Panel Open Control PanelBrowse for the installed applicationLocate "VMware Plug-in Service"Right-click the application and uninstall Option 2 - From the Installer Run the original installer for "VMware Plugin-in Service"In the installer wizard, select "uninstall" Option 3 - PowerShell Run the following Powershell command: (Get-WmiObject -Class Win32_Product | Where-Object{$_.Name.StartsWith("VMware Plug-in Service")}).Uninstall() Stop and disable the Windows service if uninstallation is not possible at this time. Option 1 - Batch/CMD sc stop CipMsgProxyServicesc config CipMsgProxyService start= disabled Option 2 - Powershell Stop-Service -Name "CipMsgProxyService"Set-Service -Name "CipMsgProxyService" -StartupType "Disabled" Note: If the service cannot be stopped or disabled, then firewall TCP traffic inbound/outbound vmware-plugin:8094.
To remove the "Use Windows Session Authentication" checkbox at the login page of the vCenter UI, follow the below steps: SSH via root to the vCenter Server Run the following command: sso-config.sh -set_authn_policy -winAuthn false -t vsphere.localNote: Replace vsphere.local as appropriate for the environment.
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
