iDefense have published an advisory for a critical remote command execution vulnerability (CVE-2008-3466 and MS08-059) in Microsoft's Host Integration Server which was discovered by Stephen Fewer of Harmony Security. The specific versions affected are as follows:
- Microsoft Host Integration Server 2006 Enterprise Edition (both x86 & x64 based systems)
- Microsoft Host Integration Server 2006 (both x86 & x64 based systems)
- Microsoft Host Integration Server 2004 Service Pack 1, when used with:
- Microsoft Host Integration Server 2004 Enterprise Edition
- Microsoft Host Integration Server 2004 Standard Edition
- Microsoft Host Integration Server 2000 SP2, when used with:
- Microsoft Host Integration Server 2000 Standard Edition
You can read the full iDefense advisory here:
And the Microsoft advisory here:
Update: SecurityFocus has a news item mentioning this vulnerability which you can read here:
It contains a nice quote from Sheldon Malm of nCircle about the vulnerability and software in question. As quoted from the article:
"Host Integration Server is the de facto gateway linking Windows hosts to business critical mainframes and AS/400 systems, which in turn host databases and Customer Information Control System (CICS) applications that are believed to run in 90 percent of Fortune 500 corporations."
...lets hope they all patch!