HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2008-160
Microsoft Host Integration Server Remote Command Execution Vulnerability

Original Issue Date:October 16, 2008

Severity Rating: High

Systems Affected

  • Microsoft Host Integration Server 2000 Service Pack 2 (server)
  • Microsoft Host Integration Server 2000 Administrator (Client)
  • Microsoft Host Integration Server 2004 (server)
  • Microsoft Host Integration Server 2004 Service Pack 1 (server)
  • Microsoft Host Integration Server 2004 (client)
  • Microsoft Host Integration Server 2004 Service Pack 1 (client)
  • Microsoft Host Integration Server 2006 for 32-bit systems
  • Microsoft Host Integration Server 2006 for x-64 based systems

Overview

A remote command execution vulnerability has been reported in Microsoft Host Integration Server that could be exploited by an attacker to execute arbitrary code and take complete control of an affected system.

Description

 The vulnerability is caused due to a error in handling RPC request by Remote Management Interface component of Host Integration server.

The attacker could exploit this vulnerability by passing specially crafted Remote Procedure Call (RPC) request to affected system. Successful exploitation allow execution of arbitrary code and could provide complete control of an affected system.

Workarounds

  • Run HIS/SNA service with non-administrative privilege.
  • Disable the SNA RPC service if not needed.

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS08-059

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/Bulletin/
MS08-59.mspx

References

 iDefence
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=745

SecurityFocus
http://www.securityfocus.com/bid/31620

SecurityTracker
http://securitytracker.com/alerts/2008/Oct/1021043.html

FrSIRT
http://www.frsirt.com/english/advisories/2008/2810

CVE Name
CVE-2008-3466

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003