Removing the deprecated VMware Enhanced Authentication Plugin (EAP) to address CVE-2024-22245 and CVE-2024-22250
Article ID: 316399
Updated On:
Products
Issue/Introduction
This article explains how to uninstall the Enhanced Authentication Plugin (EAP) to address CVE-2024-22245 and CVE-2024-22250. Details on these vulnerabilities are published in VMSA-2024-0003 .
Resolution
The EAP is composed of two (2) entities:
- In-browser plugin/client, "VMware Enhanced Authentication Plug-in 6.7.0"
- Windows service, "VMware Plug-in Service"
Broadcom recommends removal of both of these applications from endpoint systems to mitigate the vulnerabilities.
Domain administrators can use PowerShell to detect if the application is installed on a local system:
PowerShell - "VMware Enhanced Authentication Plugin"
if ((Get-WmiObject -Class Win32_Product | Where-Object{$_.Name.StartsWith("VMware Enhanced Authentication Plug-in")}) -eq $null) { Write-Host "Not Vulnerable. VMware Enhanced Authentication Plug-in not installed." -ForegroundColor Green } else { Write-Host "Vulnerable. VMware Enhanced Authentication Plug-in was found to be installed on the system." -ForegroundColor Yellow }
PowerShell - "VMware Plug-in Service"
if ((Get-WmiObject -Class Win32_Product | Where-Object{$_.Name.StartsWith("VMware Plug-in Service")}) -eq $null) { Write-Host "Not Vulnerable. VMware Plug-in Service not installed." -ForegroundColor Green } else { Write-Host "Vulnerable. VMware Plug-in Service was found to be installed on the system." -ForegroundColor Yellow }
Note: PowerShell has remote execute capabilities to allow domain administrators to invoke the a given command on remote system or a set of systems. To learn more, visit Microsoft Learn - Microsoft.PowerShell.Core Invoke-Command
VMware Enhanced Authentication Plug-in 6.7.0
Default install path: C:\Program Files (x86)\VMware\Enhanced Authentication Plug-in 6.7\
To remove the in-browser plugin/client, perform one of the following options on the endpoint device:
Option 1 - From Control Panel
- Open Control Panel
- Browse for the installed application
- Locate "VMware Enhanced Authentication Plug-in 6.7.0"
- Right-click the application and uninstall
- Run the original installer for "VMware Enhanced Authentication Plug-in 6.7.0"
- In the installer wizard, select "uninstall"
- Run the following Powershell command
(Get-WmiObject -Class Win32_Product | Where-Object{$_.Name.StartsWith("VMware Enhanced Authentication Plug-in")}).Uninstall()VMware Plug-in Service
Default install path: C:\Program Files (x86)\VMware\Plug-in Service\
This software is a Windows service:
- Service: CipMsgProxyService
- Display Name: VMware Cip Message Proxy Service
- Listening: TCP vmware-plugin:8094
Option 1 - From Control Panel
- Open Control Panel
- Browse for the installed application
- Locate "VMware Plug-in Service"
- Right-click the application and uninstall
- Run the original installer for "VMware Plugin-in Service"
- In the installer wizard, select "uninstall"
- Run the following Powershell command:
(Get-WmiObject -Class Win32_Product | Where-Object{$_.Name.StartsWith("VMware Plug-in Service")}).Uninstall()Stop and disable the Windows service if uninstallation is not possible at this time.
Option 1 - Batch/CMD
sc stop CipMsgProxyServicesc config CipMsgProxyService start= disabled
Option 2 - Powershell
Stop-Service -Name "CipMsgProxyService"Set-Service -Name "CipMsgProxyService" -StartupType "Disabled"Note: If the service cannot be stopped or disabled, then firewall TCP traffic inbound/outbound vmware-plugin:8094.
Additional Information
- SSH via root to the vCenter Server
- Run the following command:
sso-config.sh -set_authn_policy -winAuthn false -t vsphere.local
Note: Replace vsphere.local as appropriate for the environment.
Feedback
