National Cyber-Alert System
Vulnerability Summary for CVE-2008-3466
Original release date:10/15/2008
Last revised:03/04/2009
Source:
US-CERT/NIST
Overview
Microsoft Host Integration Server (HIS) 2000, 2004, and 2006 does not limit RPC access to administrative functions, which allows remote attackers to bypass authentication and execute arbitrary programs via a crafted SNA RPC message using opcode 1 or 6 to call the CreateProcess function, aka "HIS Command Execution Vulnerability."
Impact
CVSS Severity (version 2.0):
Impact Subscore:
10.0
Exploitability Subscore:
10.0
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type:Provides administrator access, Allows complete confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.
US-CERT Technical Alert: TA08-288A
Name: TA08-288A
External Source: BID
Name: 31620
Type: Patch Information
External Source: MS
Name: MS08-059
Type: Advisory; Patch Information
External Source: SECUNIA
Name: 32233
Type: Advisory; Patch Information
External Source: SECTRACK
Name: 1021043
External Source: VUPEN
Name: ADV-2008-2810
Type: Advisory
External Source: OVAL
Name: oval:org.mitre.oval:def:6075
External Source: HP
Name: SSRT080143
External Source: HP
Name: SSRT080143
External Source: IDEFENSE
Name: 20081014 Microsoft Host Integration Server 2006 Command Execution Vulnerability