

This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 180-day deadline.

Vendor Contact Timeline:

11/07/2013 - Case disclosed to vendor

11/07/2013 - Vendor acknowledged

12/02/2013 - Vendor confirmed reproduction

02/26/2014 - Vendor provided ETA August or September

05/02/2014 - Vendor provided ETA of August and December

05/02/2014 - ZDI asked vendor for something sooner

05/02/2014 - Vendor confirmed dates and will let ZDI know of any changes

05/06/2014 - Original 180-deadline passed

05/30/2014 - Public release of advisory

-- Vendor Provided Mitigations:

Remove all users from the shellaccess group with the following command: usermod -R shellaccess LOGIN

OR

Remove the line "AllowGroups shellaccess wheel" from the /etc/ssh/sshd_config Restart the sshd service with the following command: service sshd restart

This issue only affects vCenter Server Appliance 5.1 and vCenter Server Appliance 5.5. No other products are affected by this issue.