CVE-2008-3466

critical

Description

Microsoft Host Integration Server (HIS) 2000, 2004, and 2006 does not limit RPC access to administrative functions, which allows remote attackers to bypass authentication and execute arbitrary programs via a crafted SNA RPC message using opcode 1 or 6 to call the CreateProcess function, aka "HIS Command Execution Vulnerability."

References

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6075

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-059

http://www.vupen.com/english/advisories/2008/2810

http://www.us-cert.gov/cas/techalerts/TA08-288A.html

http://www.securitytracker.com/id?1021043

http://secunia.com/advisories/32233

http://marc.info/?l=bugtraq&m=122479227205998&w=2

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=745

Details

Source: Mitre, NVD

Published: 2008-10-15

Updated: 2018-10-12

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical