what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

VMware Security Advisory 2010-0020

VMware Security Advisory 2010-0020
Posted Dec 23, 2010
Authored by VMware | Site vmware.com

VMware Security Advisory 2010-0020 - VMware ESXi 4.1 Update Installer might introduce a SFCB Authentication Flaw.

tags | advisory
advisories | CVE-2010-4573
SHA-256 | 12c5720af03742907282a1f3c4a358ad3ac5c767910cade97759d078ac1e03cf

VMware Security Advisory 2010-0020

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2010-0020
Synopsis: VMware ESXi 4.1 Update Installer SFCB Authentication
Flaw
Issue date: 2010-12-21
Updated on: 2010-12-21
CVE numbers: CVE-2010-4573
- ------------------------------------------------------------------------

1. Summary

VMware ESXi 4.1 Update Installer might introduce a SFCB
Authentication Flaw.

2. Relevant releases

VMware ESXi 4.1 if upgraded from ESXi 3.5 or ESXi 4.0 with a modified
SFCB configuration file.

3. Problem Description

a. ESXi 4.1 Update Installer SFCB Authentication Flaw

Under certain conditions, the ESXi 4.1 installer that upgrades an
ESXi 3.5 or ESXi 4.0 host to ESXi 4.1 incorrectly handles the SFCB
authentication mode. The result is that SFCB authentication could
allow login with any username and password combination.

An ESXi 4.1 host is affected if all of the following apply:
- ESXi 4.1 was upgraded from ESXi 3.5 or ESXi 4.0.
- The SFCB configuration file /etc/sfcb/sfcb.cfg was modified prior
to the upgrade.
- The sfcbd daemon is running (sfcbd runs by default).

Workaround
A workaround that can be applied to ESXi 4.1 is described in VMware
Knowledge Base Article KB 1031761

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-4573 to this issue.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected

hosted * any any not affected

ESXi 4.1 ESXi see KB 1031761 for workaround **
ESXi 4.0 ESXi not affected
ESXi 3.5 ESXi not affected

ESX any ESX not affected

* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
** ESXi 4.1 is only affected if upgraded from ESXi 3.5 or ESXi 4.0
with a modified SFCB configuration file.

4. Solution

Please review the patch/release notes for your product and version
and verify the md5sum of your downloaded file.

ESXi 4.1
--------
Workaround described in VMware Knowledge Base Article KB 1031761
http://kb.vmware.com/kb/1031761


5. References

CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4573

- ------------------------------------------------------------------------

6. Change log

2010-12-21 VMSA-2010-0020
Initial security advisory after release of VMware knowledge base article
that documents workaround on 2010-12-21.

- -----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2010 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)

iEYEARECAAYFAk0RJaQACgkQS2KysvBH1xk5gwCfeuwzOhjNuAQKDY/OGqVevkFk
yv4An04Kf4+MQr2Lxg1ObnrhblLZw280
=579r
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close