copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » By Operating... » Windows (all) » AL-2008.0104 -- [Win] -- MS08-059 - Critical - Vulne...
 

AL-2008.0104 -- [Win] -- MS08-059 - Critical - Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution
Date: 15 October 2008
References: ESB-2008.0999  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2008.0104 -- AUSCERT ALERT
                                   [Win]
          MS08-059 - Critical - Vulnerability in Host Integration
           Server RPC Service Could Allow Remote Code Execution
                              15 October 2008

===========================================================================

        AusCERT Alert Summary
        ---------------------

Product:              Microsoft Host Integration Server 2000 Service
                        Pack 2 (Server)
                      Microsoft Host Integration Server 2000 Administrator
                        Client
                      Microsoft Host Integration Server 2004 (Server)
                      Microsoft Host Integration Server 2004 Service
                        Pack 1 (Server)
                      Microsoft Host Integration Server 2004 (Client)
                      Microsoft Host Integration Server 2004 Service
                        Pack 1 (Client)
                      Microsoft Host Integration Server 2006 for 32-bit
                        systems
                      Microsoft Host Integration Server 2006 for x64-based
                        systems
Publisher:            Microsoft
Operating System:     Windows
Impact:               Administrator Compromise
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-3466

Original Bulletin:  
  http://www.microsoft.com/technet/security/bulletin/ms08-059.mspx

- --------------------------BEGIN INCLUDED TEXT--------------------

Microsoft Security Bulletin MS08-059 - Critical

Vulnerability in Host Integration Server RPC Service Could Allow Remote Code
Execution (956695)

   Published: October 14, 2008

   Version: 1.0

General Information

Executive Summary

   This security update resolves a privately reported vulnerability in
   Microsoft Host Integration Server. The vulnerability could allow
   remote code execution if an attacker sent a specially crafted Remote
   Procedure Call (RPC) request to an affected system. Customers who
   follow best practices and configure the SNA RPC service account to
   have fewer user rights on the system could be less impacted than
   customers who configure the SNA RPC service account to have
   administrative user rights.

   This security update is rated Critical for all supported editions of
   Microsoft Host Integration Server 2000, Microsoft Host Integration
   Server 2004, and Microsoft Host Integration Server 2006. For more
   information, see the subsection, Affected and Non-Affected Software,
   in this section.

   The security update addresses the vulnerability by validating RPC
   requests. 

   Recommendation. Microsoft recommends that customers apply the update
   immediately.

Affected Software

   Microsoft Host Integration Server 2000 Service Pack 2 (Server)

   Microsoft Host Integration Server 2000 Administrator Client

   Microsoft Host Integration Server 2004 (Server)

   Microsoft Host Integration Server 2004 Service Pack 1 (Server)

   Microsoft Host Integration Server 2004 (Client)

   Microsoft Host Integration Server 2004 Service Pack 1 (Client)

   Microsoft Host Integration Server 2006 for 32-bit systems

   Microsoft Host Integration Server 2006 for x64-based systems

Vulnerability Information

HIS Command Execution Vulnerability - CVE-2008-3466

   A remote code execution vulnerability exists in the SNA Remote
   Procedure Call (RPC) service for Host Integration Server. An attacker
   could exploit the vulnerability by constructing a specially crafted
   RPC request. The vulnerability could allow remote code execution. An
   attacker who successfully exploited this vulnerability could take
   complete control of an affected system.

Workarounds for HIS Command Execution Vulnerability - CVE-2008-3466

   For Host Integration Server 2004 and Host Integration Server 2006, do
   not configure the HIS/SNA service to run with an Administrator
   Account.

   For Host Integration Server 2000, Host Integration Server 2004 and
   Host Integration Server 2006, disable the SNA RPC Service.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBSPVJCyh9+71yA2DNAQLD/QQAh9YXwdlgaqPrHWzJ9Dxtk4YwXDjtdpvX
sG6ld+FA/LAt+HDTJk5vDItfAdkLYU6wUYSkXt0Iw8GIwlHpUyA2d+5M69jq5A6q
TqewvYEr5O6sb9Z6ZB3SJNjxjad6ixjou7SIA4eRq+n06cofulOXTBLKqUHNsHIT
n3w8PsM6rJM=
=t0tj
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=21&it=9968