U radu programskog paketa pam_krb5, za VMware ESX Server, otkrivena su dva sigurnosna nedostatka. Riječ je o paketu koji aplikacijama koje koriste PAM (eng. Pluggable Authentication Modules) module omogućuje autentikaciju korištenjem protokola Kerberos. Prvi je nedostatak uzrokovan korištenjem neodgovarajućih ovlasti, a očituje se kada je uključena opcija "existing_ticket". Napadaču omogućuje stjecanje povećanih ovlasti. Drugi je posljedica nepravilne provjere ispravnih korisničkih imena, a napadaču omogućuje otkrivanje osjetljivih informacija. Korisnicima se savjetuje instalacija nadogradnje.

VMware ESX Server pam_krb5 Security Issues
Secunia Advisory 	SA43314 	
Release Date 	2011-02-11

Criticality level 	Less criticalLess critical
Impact 	Exposure of sensitive information
Security Bypass
Where 	From remote
Authentication level 	Available in Customer Area
  	 
Report reliability 	Available in Customer Area
Solution Status 	Vendor Patch
  	 
Systems affected 	Available in Customer Area
Approve distribution 	Available in Customer Area
  	 
Operating System	
	VMware ESX Server 4.x

Secunia CVSS Score 	Available in Customer Area
CVE Reference(s) 	CVE-2008-3825 CVSS available in Customer Area
CVE-2009-1384 CVSS available in Customer Area
	   	

Description

VMware has acknowledged some security issues in VMware ESX Server, which can be exploited by malicious people to disclose potentially sensitive information and by malicious, local users to bypass certain security restrictions.

For more information:
SA32119
SA35230

The security issues are reported in VMware ESX Server version 4.1.

Solution
Apply patch ESX410-201101201-SG.
Further details available in Customer Area
Original Advisory
VMSA-2011-0003:
http://www.vmware.com/security/advisories/VMSA-2011-0003.html

Other references
Further details available in Customer Area