The winners of the annual Pwnie Awards 2020 were announced, which is a prominent event, in which participants reveal the most significant vulnerabilities and absurd flaws in the field of computer security.
The Pwnie Awards they recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations gathered from the information security community.
Awards are presented annually at the Black Hat Security Conference. The Pwnie Awards are regarded as a counterpart to the Oscars and Golden Raspberry Awards in computer security.
Top winners
Best server error
Awarded for identifying and exploiting the most technically complex bug and interesting in a network service. The victory was awarded by the identification of the vulnerability CVE-2020-10188, which allows remote attacks to devices embedded with firmware based on Fedora 31 through a buffer overflow in telnetd.
Best bug in client software
The winners were the researchers who identified a vulnerability in Samsung's Android firmware, which allows access to the device by sending MMS without user input.
Better escalation vulnerability
The victory was awarded for identifying a vulnerability in the bootrom of Apple iPhones, iPads, Apple Watches and Apple TV Based on A5, A6, A7, A8, A9, A10 and A11 chips, allowing you to avoid firmware jailbreak and organize the load of other operating systems.
Best crypto attack
Awarded for identifying the most significant vulnerabilities in real systems, protocols, and encryption algorithms. The award was given for identifying the Zerologon vulnerability (CVE-2020-1472) in the MS-NRPC protocol and the AES-CFB8 crypto algorithm, which allows an attacker to gain administrator rights on a Windows or Samba domain controller.
Most innovative research
The award is given to researchers who have shown that RowHammer attacks can be used against modern DDR4 memory chips to alter the content of individual bits of dynamic random access memory (DRAM).
The weakest response from the manufacturer (Lamest Vendor Response)
Nominated for Most Inappropriate Response to a Vulnerability Report in Your Own Product. The winner is the mythical Daniel J. Bernstein, who 15 years ago did not consider it serious and did not solve the vulnerability (CVE-2005-1513) in qmail, since its exploitation required a 64-bit system with more than 4GB of virtual memory .
For 15 years, 64-bit systems on servers supplanted 32-bit systems, the amount of memory supplied increased dramatically, and as a result, a functional exploit was created that could be used to attack systems with qmail in default settings.
Most underestimated vulnerability
The award was given for vulnerabilities (CVE-2019-0151, CVE-2019-0152) on the Intel VTd / IOMMU mechanism, allowing bypassing memory protection and executing code at the System Management Mode (SMM) and Trusted Execution Technology (TXT) levels, for example, for rootkit replacement in SMM. The severity of the problem turned out to be significantly greater than anticipated, and the vulnerability was not as easy to fix.
Most Epic FAIL errors
The award was given to Microsoft for vulnerability (CVE-2020-0601) in the implementation of elliptic curve digital signatures that allows the generation of private keys based on public keys. The issue allowed the creation of spoofed TLS certificates for HTTPS and fake digital signatures that Windows verified as trustworthy.
Greatest achievement
The award was given for identifying a series of vulnerabilities (CVE-2019-5870, CVE-2019-5877, CVE-2019-10567) that allow bypassing all levels of Chromé browser protection and executing code on the system outside of the sandbox . The vulnerabilities were used to demonstrate a remote attack on Android devices to gain root access.
Finally, if you want to know more about the nominees, you can check the details In the following link.