The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
Security Response to CVE-2005-2798, OpenSSH GSSAPIDelegateCredentials Enabled (2282)
What is VMware's response to the following issues:
CVE-2005-2798 - sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts.
CVE-2006-5052 - Unspecified vulnerability in portable OpenSSH before 4.4, when running on some platforms, allows remote attackers to determine the validity of usernames via unknown vectors involving a GSSAPI "authentication abort."
Is there any action I need to take?
|VMware Security Response|
|CVE identifier||CVE-2005-2798, CVE-2006-5052|
|Synopsis||OpenSSH GSSAPIDelegateCredentials Enabled|
|Response issued on||2006-06-19|
|Response updated on||2007-09-25: Updated to include CVE-2006-5052|
The issue was first reported on ESX Server 2.5.2 build-21059.
ESX Server doesn't enable GSSAPIDelegateCredentials by default. This is a false-positive report based on version checking.
Request a Product Feature
To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.