Executive Summary
| Summary | |
|---|---|
| Title | VMware ESXi 4.1 Update Installer SFCB Authentication Flaw |
| Informations | |||
|---|---|---|---|
| Name | VMSA-2010-0020 | First vendor Publication | 2010-12-21 |
| Vendor | VMware | Last vendor Modification | 2010-12-21 |
| Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
|---|---|---|---|
| Cvss Base Score | 9.3 | Attack Range | Network |
| Cvss Impact Score | 10 | Attack Complexity | Medium |
| Cvss Expoit Score | 8.6 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| a. ESXi 4.1 Update Installer SFCB Authentication Flaw Under certain conditions, the ESXi 4.1 installer that upgrades an ESXi 3.5 or ESXi 4.0 host to ESXi 4.1 incorrectly handles the SFCB authentication mode. The result is that SFCB authentication could allow login with any username and password combination. An ESXi 4.1 host is affected if all of the following apply: - ESXi 4.1 was upgraded from ESXi 3.5 or ESXi 4.0. - The SFCB configuration file /etc/sfcb/sfcb.cfg was modified prior to the upgrade. - The sfcbd daemon is running (sfcbd runs by default). Workaround A workaround that can be applied to ESXi 4.1 is described in VMware Knowledge Base Article KB 1031761 The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-4573 to this issue. |
Original Source
| Url : http://www.vmware.com/security/advisories/VMSA-2010-0020.html |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-287 | Improper Authentication |
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 1 |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 70114 | VMware ESXi Update Installer Arbitrary Credentials SFCB Authentication Mode B... VMware ESXi contains a flaw related to the Update Installer, which fails to properly configure the SFCB authentication mode. This may allow a remote attacker to bypass SFCB authentication with an arbitrary username and password. |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2017-04-03 | Name : The remote VMware ESXi host is missing a security-related patch. File : vmware_VMSA-2010-0020.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2017-04-04 13:20:39 |
|
