The winners of the Pwnie Awards 2021 have already been announced

The winners of the annual Pwnie Awards 2021 were announced, which is a prominent event, in which participants reveal the most significant vulnerabilities and absurd flaws in the field of computer security.

The Pwnie Awards they recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations gathered from the information security community.

Winners list

Better privilege escalation vulnerability: This award Awarded to the company Qualys for identifying the vulnerability CVE-2021-3156 in the sudo utility, which allows you to gain root privileges. The vulnerability has been present in code for about 10 years and is notable for the fact that its detection required a thorough analysis of the utility's logic.

Best server error: this Awarded for identifying and exploiting the most technically complex bug and interesting in a network service. Victory was awarded for identifying a new vector of attacks against Microsoft Exchange. Information on all vulnerabilities in this class has not been released, but information has already been released about the vulnerability CVE-2021-26855 (ProxyLogon), which allows you to retrieve data from an arbitrary user without authentication, and CVE-2021-27065, which allows you to run your code on a server with administrator rights.

Best crypto attack: was granted for identifying the most significant failures in systems, protocols and real encryption algorithms. The prize fIt was released to Microsoft for the vulnerability (CVE-2020-0601) in the implementation of elliptic curve digital signatures that allows the generation of private keys based on public keys. The issue allowed the creation of forged TLS certificates for HTTPS and fake digital signatures, which Windows verified as trustworthy.

Most innovative research: The award awarded to researchers who proposed the BlindSide method to avoid the security of address randomization (ASLR) using side channel leaks that result from the speculative execution of instructions by the processor.

Most Epic FAIL errors: awarded to Microsoft for a multiple release of a patch that doesn't work for the PrintNightmare vulnerability (CVE-2021-34527) in the Windows print output system that allows your code to run. Microsoft It initially flagged the issue as local, but later it turned out that the attack could be carried out remotely. Microsoft then released updates four times, but each time the solution only covered one special case, and the researchers found a new way to carry out the attack.

Best bug in client software: that award was awarded to a researcher who discovered the CVE-2020-28341 vulnerability in Samsung's secure cryptography, received the CC EAL 5+ safety certificate. The vulnerability made it possible to completely bypass protection and gain access to the code running on the chip and data stored in the enclave, bypass the screen saver lock, and also make changes to the firmware to create a hidden back door.

The most underestimated vulnerability: the award was awarded to Qualys for the identification of a number of 21Nails vulnerabilities in the Exim mail server, 10 of which can be exploited remotely. Exim developers were skeptical about exploiting the issues and spent more than 6 months developing solutions.

The weakest answer from the manufacturer: this is a nomination for the most inappropriate response to a vulnerability report in your own product. The winner was Cellebrite, a forensic and data mining application for law enforcement. Cellebrite did not respond adequately to the vulnerability report published by Moxie Marlinspike, the author of the Signal protocol. Moxie became interested in Cellebrite after posting a media story about creating a technology to break encrypted Signal messages, which later turned out to be false, due to a misinterpretation of the information in the article on the Cellebrite website. , which was later removed (the "attack" required physical access to the phone and the ability to unlock the screen, that is, it was reduced to viewing messages in the messenger, but not manually, but using a special application that simulates user actions ).

Moxie examined Cellebrite applications and found critical vulnerabilities that allowed arbitrary code to be executed when attempting to scan specially crafted data. The Cellebrite app also revealed using an outdated ffmpeg library that has not been updated for 9 years and contains a large number of unpatched vulnerabilities. Rather than acknowledge the issues and fix them, Cellebrite issued a statement that it cares about the integrity of user data, keeps the security of its products at the proper level.

Finally Greatest Achievement - Awarded to Ilfak Gilfanov, author of IDA disassembler and Hex-Rays decompiler, for his contribution to the development of tools for security researchers and his ability to keep the product up to date for 30 years.

Source: https://pwnies.com


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.