Vulnerability scanners report false positive for Dropbear SSH (CVE-2012-0920)
search cancel

Vulnerability scanners report false positive for Dropbear SSH (CVE-2012-0920)


Article ID: 309676


Updated On:


VMware vSphere ESXi


The Dropbear SSH server included with ESXi 4.0 and ESXi 4.1 contains a use-after-free vulnerability that allows remote authenticated users to execute arbitrary code. In ESXi 4.0 and ESXi 4.1, administrative access is required to login via SSH. Exploiting this vulnerability provides no gain to an attacker because any authenticated remote user already has sufficient privileges to execute arbitrary code.

The Common Vulnerabilities and Exposures project ( has assigned the name CVE-2012-0920 to this issue.


VMware ESXi 4.1.x Installable
VMware vSphere ESXi 5.1
VMware vSphere ESXi 5.0
VMware ESXi 4.0.x Installable


This vulnerability does not affect ESXi 5.0 because the Dropbear SSH server was replaced with OpenSSH, which does not contain this vulnerability. In ESXi 4.1 and earlier, the vulnerability can only be exploited by a user with administrative privileges. Since there is no impact, VMware has decided not to update the affected component.

Customers should note that many vulnerability scanners will detect a vulnerable version of Dropbear SSH and generate an alert for CVE-2012-0920. With respect to VMware ESXi Server, this alert should be considered a false positive.