advisory 56

Advisory 56: VMware Vulnerabilities CVE-2024-22245 & CVE-2024-22250

Release Date: 20 of February 2024


TLP Rating: Clear

CERT Vanuatu (CERTVU) and the Office of the Chief Information Officer (OGCIO) provide the following advisory.

What is it?

Below are descriptions of the two (2) vulnerabilities:

  • CVE-2024-22245 is an arbitrary authentication relay vulnerability exploitable via a malicious public website to request arbitrary Kerberos service tickets on behalf of the user visiting it.
  • CVE-2024-22250 is a session hijack vulnerability which allows “local users to request Kerberos tickets from another user during authentication to the VMware vSphere web console”. This flaw was initially reported in October 2023. Unlike the above CVE, this CVE does not require an interaction with a suspicious website. The attacker simply waits for the authentication to occur to a legitimate vCenter login page to hijack the user session.