CVE-2011-0638 - Vulnerability Details - OpenCVE

Microsoft Windows does not properly warn the user before enabling additional Human Interface Device (HID) functionality over USB, which allows user-assisted attackers to execute arbitrary programs via crafted USB data, as demonstrated by keyboard and mouse data sent by malware on a smartphone that the user connected to the computer.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Microsoft	Windows

Configuration 1 [-]

cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://news.cnet.com/8301-27080_3-20028919-245.html
http://www.blackhat.com/html/bh-dc-11/bh-dc-11-briefings.html#Stavrou
http://www.cs.gmu.edu/~astavrou/publications.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12566

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2011-01-25T00:00:00

Updated: 2024-08-06T21:58:26.002Z

Reserved: 2011-01-24T00:00:00

Link: CVE-2011-0638

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2011-01-25T01:00:03.143

Modified: 2025-04-11T00:51:21.963

Link: CVE-2011-0638

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2011-01-19T00:00:00", "descriptions": [{"lang": "en", "value": "Microsoft Windows does not properly warn the user before enabling additional Human Interface Device (HID) functionality over USB, which allows user-assisted attackers to execute arbitrary programs via crafted USB data, as demonstrated by keyboard and mouse data sent by malware on a smartphone that the user connected to the computer."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-18T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://news.cnet.com/8301-27080_3-20028919-245.html"}, {"name": "oval:org.mitre.oval:def:12566", "tags": ["vdb-entry", "signature", "x_refsource_OVAL"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12566"}, {"tags": ["x_refsource_MISC"], "url": "http://www.blackhat.com/html/bh-dc-11/bh-dc-11-briefings.html#Stavrou"}, {"tags": ["x_refsource_MISC"], "url": "http://www.cs.gmu.edu/~astavrou/publications.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2011-0638", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Microsoft Windows does not properly warn the user before enabling additional Human Interface Device (HID) functionality over USB, which allows user-assisted attackers to execute arbitrary programs via crafted USB data, as demonstrated by keyboard and mouse data sent by malware on a smartphone that the user connected to the computer."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://news.cnet.com/8301-27080_3-20028919-245.html", "refsource": "MISC", "url": "http://news.cnet.com/8301-27080_3-20028919-245.html"}, {"name": "oval:org.mitre.oval:def:12566", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12566"}, {"name": "http://www.blackhat.com/html/bh-dc-11/bh-dc-11-briefings.html#Stavrou", "refsource": "MISC", "url": "http://www.blackhat.com/html/bh-dc-11/bh-dc-11-briefings.html#Stavrou"}, {"name": "http://www.cs.gmu.edu/~astavrou/publications.html", "refsource": "MISC", "url": "http://www.cs.gmu.edu/~astavrou/publications.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T21:58:26.002Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://news.cnet.com/8301-27080_3-20028919-245.html"}, {"name": "oval:org.mitre.oval:def:12566", "tags": ["vdb-entry", "signature", "x_refsource_OVAL", "x_transferred"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12566"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.blackhat.com/html/bh-dc-11/bh-dc-11-briefings.html#Stavrou"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.cs.gmu.edu/~astavrou/publications.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2011-0638", "datePublished": "2011-01-25T00:00:00", "dateReserved": "2011-01-24T00:00:00", "dateUpdated": "2024-08-06T21:58:26.002Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*", "matchCriteriaId": "2CF61F35-5905-4BA9-AD7E-7DB261D2F256", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Microsoft Windows does not properly warn the user before enabling additional Human Interface Device (HID) functionality over USB, which allows user-assisted attackers to execute arbitrary programs via crafted USB data, as demonstrated by keyboard and mouse data sent by malware on a smartphone that the user connected to the computer."}, {"lang": "es", "value": "Microsoft Windows no avisa adecuadamente al usuario antes de activar la funcionalidad adicional Human Interface Device (HID) sobre USB, lo que permite a atacantes remotos asistidos por un usuario ejecutar c\u00f3digo de su elecci\u00f3n a trav\u00e9s de datos USB manipulados como fue demostrado al enviar malware a un smartphone mediante teclado y rat\u00f3n que el usuario conect\u00f3 al ordenador."}], "id": "CVE-2011-0638", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.9, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2011-01-25T01:00:03.143", "references": [{"source": "cve@mitre.org", "url": "http://news.cnet.com/8301-27080_3-20028919-245.html"}, {"source": "cve@mitre.org", "url": "http://www.blackhat.com/html/bh-dc-11/bh-dc-11-briefings.html#Stavrou"}, {"source": "cve@mitre.org", "url": "http://www.cs.gmu.edu/~astavrou/publications.html"}, {"source": "cve@mitre.org", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12566"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://news.cnet.com/8301-27080_3-20028919-245.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.blackhat.com/html/bh-dc-11/bh-dc-11-briefings.html#Stavrou"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.cs.gmu.edu/~astavrou/publications.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12566"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-16"}], "source": "nvd@nist.gov", "type": "Primary"}]}