CVE-2008-3466

Microsoft Host Integration Server (HIS) 2000, 2004, and 2006 does not limit RPC access to administrative functions, which allows remote attackers to bypass authentication and execute arbitrary programs via a crafted SNA RPC message using opcode 1 or 6 to call the CreateProcess function, aka HIS Command Execution Vulnerability.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name	Vendor	Start Version	End Version
Host_integration_server_2000	Microsoft	*	*
Host_integration_server_2004	Microsoft	*	*
Host_integration_server_2006	Microsoft	*	*

Potential Mitigations

https://cwe.mitre.org/data/definitions/114.html
https://cwe.mitre.org/data/definitions/115.html
https://cwe.mitre.org/data/definitions/151.html
https://cwe.mitre.org/data/definitions/194.html
https://cwe.mitre.org/data/definitions/22.html
https://cwe.mitre.org/data/definitions/57.html
https://cwe.mitre.org/data/definitions/593.html
https://cwe.mitre.org/data/definitions/633.html
https://cwe.mitre.org/data/definitions/650.html
https://cwe.mitre.org/data/definitions/94.html

References

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=745
http://marc.info/?l=bugtraq\u0026m=122479227205998\u0026w=2
http://secunia.com/advisories/32233
http://www.securityfocus.com/bid/31620
http://www.securitytracker.com/id?1021043
http://www.us-cert.gov/cas/techalerts/TA08-288A.html
http://www.vupen.com/english/advisories/2008/2810
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-059
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6075

NVD	https://nvd.nist.gov/vuln/detail/CVE-2008-3466
CWE	https://cwe.mitre.org/data/definitions/287.html

Improper Authentication

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References