CVE-2011-0640 - OpenCVE

The default configuration of udev on Linux does not warn the user before enabling additional Human Interface Device (HID) functionality over USB, which allows user-assisted attackers to execute arbitrary programs via crafted USB data, as demonstrated by keyboard and mouse data sent by malware on a smartphone that the user connected to the computer.

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:M/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Udev Project	Udev

Configuration 1 [-]

cpe:2.3:a:udev_project:udev:-:*:*:*:*:*:*:*

References

Link	Resource
http://news.cnet.com/8301-27080_3-20028919-245.html	Broken Link
http://www.blackhat.com/html/bh-dc-11/bh-dc-11-briefings.html#Stavrou	Not Applicable
http://www.cs.gmu.edu/~astavrou/publications.html	Broken Link

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-10-03T16:15:20

Updated: 2022-10-03T16:15:20

Reserved: 2022-10-03T00:00:00

Link: CVE-2011-0640

JSON object: View

NVD Information

Status : Analyzed

Published: 2011-01-25T01:00:03.253

Modified: 2022-06-03T15:06:14.783

Link: CVE-2011-0640

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The default configuration of udev on Linux does not warn the user before enabling additional Human Interface Device (HID) functionality over USB, which allows user-assisted attackers to execute arbitrary programs via crafted USB data, as demonstrated by keyboard and mouse data sent by malware on a smartphone that the user connected to the computer."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-10-03T16:15:20", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://news.cnet.com/8301-27080_3-20028919-245.html"}, {"tags": ["x_refsource_MISC"], "url": "http://www.blackhat.com/html/bh-dc-11/bh-dc-11-briefings.html#Stavrou"}, {"tags": ["x_refsource_MISC"], "url": "http://www.cs.gmu.edu/~astavrou/publications.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2011-0640", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The default configuration of udev on Linux does not warn the user before enabling additional Human Interface Device (HID) functionality over USB, which allows user-assisted attackers to execute arbitrary programs via crafted USB data, as demonstrated by keyboard and mouse data sent by malware on a smartphone that the user connected to the computer."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://news.cnet.com/8301-27080_3-20028919-245.html", "refsource": "MISC", "url": "http://news.cnet.com/8301-27080_3-20028919-245.html"}, {"name": "http://www.blackhat.com/html/bh-dc-11/bh-dc-11-briefings.html#Stavrou", "refsource": "MISC", "url": "http://www.blackhat.com/html/bh-dc-11/bh-dc-11-briefings.html#Stavrou"}, {"name": "http://www.cs.gmu.edu/~astavrou/publications.html", "refsource": "MISC", "url": "http://www.cs.gmu.edu/~astavrou/publications.html"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2011-0640", "datePublished": "2022-10-03T16:15:20", "dateReserved": "2022-10-03T00:00:00", "dateUpdated": "2022-10-03T16:15:20", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:udev_project:udev:-:*:*:*:*:*:*:*", "matchCriteriaId": "A409AD3E-4241-489A-8606-68C2EE5DB3B9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The default configuration of udev on Linux does not warn the user before enabling additional Human Interface Device (HID) functionality over USB, which allows user-assisted attackers to execute arbitrary programs via crafted USB data, as demonstrated by keyboard and mouse data sent by malware on a smartphone that the user connected to the computer."}, {"lang": "es", "value": "La configuraci\u00f3n por defecto de udev en Linux no avisa al usuario antes de activar la funcionalidad Human Interface Device (HID) sobre USB, lo que permite a atacantes remotos asistidos por el usuario ejecutar programas de su elecci\u00f3n a trav\u00e9s de datos USB manipulados, como se demostr\u00f3 con datos enviados por teclado y rat\u00f3n por malware sobre un smartphone que el usuario conectaba con el ordenador."}], "id": "CVE-2011-0640", "lastModified": "2022-06-03T15:06:14.783", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.9, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2011-01-25T01:00:03.253", "references": [{"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://news.cnet.com/8301-27080_3-20028919-245.html"}, {"source": "cve@mitre.org", "tags": ["Not Applicable"], "url": "http://www.blackhat.com/html/bh-dc-11/bh-dc-11-briefings.html#Stavrou"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://www.cs.gmu.edu/~astavrou/publications.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}