Microsoft Host Integration Server 2006 is an interesting product.  It allows developers to manage business processes on IBM mainframe and AS/400 (big iron) servers as XML web services.  You can find a free trial version available for download at http://www.microsoft.com/hiserver/downloads/default.mspx.

Unfortunately, access to the management interface was not properly locked-down.  MS08-059 is an update for Microsoft Host Integration Server 2006 which secures the SNA RPC service interface.  It is possible for an attacker to run code remotely and take control of a Microsoft Host Integration Server 2006 if this update is not installed.  The update adds better RPC user verification as well as locking down some of the unneeded remote management functionality exposed by this interface.

If you use Microsoft’s Host Integration Server 2006 in your environment, it’s important that you secure the servers running HIS as soon as possible.  Our first recommendation, of course, is to apply the security update as soon as possible.  If you cannot apply the update right away (it does require a reboot), there are a couple things you can do to limit your exposure to any potential attacks abusing this vulnerability.

One temporary workaround is to use the Service Control Manager to disable the SNA RPC service, and prevent it from starting automatically.  This will prevent the vulnerable service from running, but will also prevent remote management.  Firewalling the RPC port is not a valid workaround, since the port used for communicating is dynamically assigned when the service starts.

One thing you could do to limit risk is to run the service as a lower-privileged user.  Any successful attacks would then run at a reduced privilege, hopefully limiting the extent of the damage.  We already recommend this during installation by displaying a pop-up warning (see screenshot below).  We also mention this in documentation, but some people might have missed that so we’re emphasizing this option in this blog post.  Running under a non-administrator account reduces potential risks and will limit exposure of the vulnerable interface.

- SVRD Bloggers

*Postings are provided "AS IS" with no warranties, and confers no rights.*