CVE-2008-3466 : Microsoft Host Integration Server (HIS) 2000, 2004, and 2006 does not limit RPC access to administrative functions, whic

Microsoft Host Integration Server (HIS) 2000, 2004, and 2006 does not limit RPC access to administrative functions, which allows remote attackers to bypass authentication and execute arbitrary programs via a crafted SNA RPC message using opcode 1 or 6 to call the CreateProcess function, aka "HIS Command Execution Vulnerability."

Published 2008-10-15 00:12:16

Updated 2018-10-12 21:48:03

Source Microsoft Corporation

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Exploit prediction scoring system (EPSS) score for CVE-2008-3466

Probability of exploitation activity in the next 30 days: 97.14%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2008-3466

Microsoft Host Integration Server 2006 Command Execution Vulnerability

Disclosure Date: 2008-10-14

First seen: 2020-04-26

auxiliary/admin/ms/ms08_059_his2006

This module exploits a command-injection vulnerability in Microsoft Host Integration Server 2006. Authors: - MC <mc@metasploit.com>

More information

CVSS scores for CVE-2008-3466

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2008-3466

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2008-3466

http://marc.info/?l=bugtraq&m=122479227205998&w=2

'[security bulletin] HPSBST02379 SSRT080143 rev.1 - Storage Management Appliance (SMA), Microsoft Pat' - MARC

CVEs referencing this url
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-059
http://www.securityfocus.com/bid/31620

Exploit;Patch
http://www.vupen.com/english/advisories/2008/2810
http://www.securitytracker.com/id?1021043
http://www.us-cert.gov/cas/techalerts/TA08-288A.html

Page Not Found | CISA
US Government Resource

CVEs referencing this url
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6075
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=745

Products affected by CVE-2008-3466

Microsoft » Host Integration Server 2000 » Update SP2 Server Edition
cpe:2.3:a:microsoft:host_integration_server_2000:*:sp2:*:*:server:*:*:*
Matching versions
Microsoft » Host Integration Server 2000 » Client Edition
cpe:2.3:a:microsoft:host_integration_server_2000:*:*:*:*:client:*:*:*
Matching versions
Microsoft » Host Integration Server 2004 » Server Edition
cpe:2.3:a:microsoft:host_integration_server_2004:*:*:*:*:server:*:*:*
Matching versions
Microsoft » Host Integration Server 2004 » Update SP1 Server Edition
cpe:2.3:a:microsoft:host_integration_server_2004:*:sp1:*:*:server:*:*:*
Matching versions
Microsoft » Host Integration Server 2004 » Client Edition
cpe:2.3:a:microsoft:host_integration_server_2004:*:*:*:*:client:*:*:*
Matching versions
Microsoft » Host Integration Server 2006 » For X64
cpe:2.3:a:microsoft:host_integration_server_2006:*:*:*:*:*:*:x64:*
Matching versions
Microsoft » Host Integration Server 2006 » For X86
cpe:2.3:a:microsoft:host_integration_server_2006:*:*:*:*:*:*:x86:*
Matching versions