CVE-2011-2005
Published: 12 October 2011
Summary
CVE-2011-2005 is a high-severity an unspecified weakness vulnerability in Microsoft Windows Xp. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
The vulnerability CVE-2011-2005 resides in afd.sys, the Ancillary Function Driver component of Microsoft Windows XP SP2 and SP3 as well as Windows Server 2003 SP2. It arises from insufficient validation of user-mode input passed to kernel mode, enabling an elevation of privilege condition rated at CVSS 7.8.
Local users can exploit the flaw by executing a specially crafted application, resulting in the ability to obtain higher privileges on the target system.
Microsoft security bulletin MS11-080 supplies patches and mitigation steps for the affected platforms, while associated OVAL definitions support detection. The issue appears in the CISA Known Exploited Vulnerabilities Catalog, confirming observed real-world exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2011-1999
Vulnerability details
afd.sys in the Ancillary Function Driver in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 does not properly validate user-mode input passed to kernel mode, which allows local users to gain privileges via a crafted application, aka "Ancillary…
more
Function Driver Elevation of Privilege Vulnerability."
- CWE(s)
- KEV Date Added
- 28 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of user-mode inputs before they reach kernel-mode components such as afd.sys, eliminating the root cause of the EoP flaw.
Enforces least privilege so that even a successful bypass of afd.sys input validation yields only minimal additional rights on the system.
Mandates timely application of vendor patches (MS11-080) that correct the missing validation logic inside afd.sys.