Below are descriptions of the two (2) vulnerabilities:

• CVE-2024-22245 is an arbitrary authentication relay vulnerability exploitable via a malicious public website to request arbitrary Kerberos service tickets on behalf of the user visiting it.
• CVE-2024-22250 is a session hijack vulnerability which allows “local users to request Kerberos tickets from another user during authentication to the VMware vSphere web console”. This flaw was initially reported in October 2023. Unlike the above CVE, this CVE does not require an interaction with a suspicious website. The attacker simply waits for the authentication to occur to a legitimate vCenter login page to hijack the user session.

VMware Enhanced Authentication Plug-in (EAP).

Arbitrary Authentication Relay and Session Hijack vulnerabilities in the deprecated VMware Enhanced Authentication Plug-in (EAP) were responsibly reported to VMware. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.6.

For Known Attack Vectors (KAV);

• CVE-2024-22245 – A malicious actor could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs).
• CVE-2024-22250 – A malicious actor with unprivileged local access to a Windows operating system can hijack a privileged EAP session when initiated by a privileged domain user on the same session.

For mitigation with regards to the 2 vulnerabilities, CVE-2024-22245 & CVE-2024-22250, remove the EAP Plugin by following this link in KB96442