According to CVE-2010-4573, also known as VMSA-2010-0020, a VMware ESXi 4.1 system upgraded from ESXi 3.5 or ESXi 4.0 may allow open authorization.

The flaw is related to the Small Footprint Common Information Model Broker (SFCB). If the SFCB daemon is running (on by default) or the configuration file (/etc/sfcb/sfcb.cfg) was changed before the upgrade, system authentication fails and any username and password combination is allowed. Detection of the flaw is trivial — just look in the configuration file:

Find the line with basicAuthLib, your deployment of ESX 4.1 is affected if the value for the parameter is basicAuthLib: sfcBasicAuthentication. Your system is not affected if the value for the parameter is listed as sfcBasicPAMAuthentication.

The official VMware workaround is thus to change “basicAuthLib: sfcBasicAuthentication” to “basicAuthLib: sfcBasicPAMAuthentication”.