The winners of the annual Pwnie Awards 2021 have been determined, highlighting the most significant vulnerabilities and absurd failures in the field of computer security. The Pwnie Awards are considered the equivalent of the Oscars and the Golden Raspberry in computer security.
Main winners (list of contenders):
- Better privilege escalation vulnerability. The victory was awarded to Qualys for identifying the vulnerability CVE-2021-3156 in the sudo utility, which allows obtaining root privileges. The vulnerability has been present in the code for about 10 years and is notable for the fact that a thorough analysis of the logic of the utility was required to identify it.
- Best server bug. Awarded for identifying and exploiting the most technically complex and interesting bug in a network service. The victory was awarded for identifying a new vector of attacks on Microsoft Exchange. Information about not all vulnerabilities of this class has been published, but information has already been disclosed about the vulnerability CVE-2021-26855 (ProxyLogon), which allows extracting data from an arbitrary user without authentication, and CVE-2021-27065, which makes it possible to execute your code on a server with administrator rights.
- The best cryptographic attack. Awarded for identifying the most significant flaws in real systems, protocols, and encryption algorithms. The award was given to Microsoft for a vulnerability (CVE-2020-0601) in the implementation of elliptic curve digital signatures that could generate private keys from public keys. The problem allowed the creation of fake TLS certificates for HTTPS and fictitious digital signatures, which were verified in Windows as trustworthy.
- Most innovative research. The award was given to researchers who proposed the BlindSide method for bypassing address randomization-based (ASLR) protection by using side-channel leaks resulting from speculative execution of instructions by the processor.
- The biggest failure (Most Epic FAIL). The award was given to Microsoft for the multiple-release broken fix for the PrintNightmare (CVE-2021-34527) vulnerability in the Windows printing system that allows you to execute your code. At first, Microsoft flagged the problem as local, but then it turned out that the attack could be carried out remotely. Then Microsoft published updates four times, but each time the fix closed only a special case, and the researchers found a new way to carry out the attack.
- Best bug in client software. The winner was the researcher who identified the CVE-2020-28341 vulnerability in secure Samsung crypto processors that received a CC EAL 5+ security certificate. The vulnerability made it possible to completely bypass the protection and gain access to the code executed on the chip and data stored in the enclave, bypass the screen saver lock, and also make changes to the firmware to create a hidden backdoor.
- The most underestimated vulnerability. The award was given to Qualys for identifying a series of 21Nails vulnerabilities in the Exim mail server, 10 of which could be exploited remotely. The Exim developers were skeptical about the possibility of exploiting the problems and spent more than 6 months developing fixes.
- The most lamer reaction of the manufacturer (Lamest Vendor Response). Nomination for the most inappropriate response to a vulnerability report in one's own product. The winner was Cellebrite, a company that builds forensic analysis and data mining applications for law enforcement. Cellebrite responded inappropriately to a vulnerability report posted by Moxie Marlinspike, author of the Signal protocol. Moxxi became interested in Cellebrite after a media article about the creation of a technology that allows hacking encrypted Signal messages, which later turned out to be a fake due to a misinterpretation of information in an article on the Cellebrite website, which was then removed (βthe attackβ required physical access to the phone and the ability to unlock screen, i.e. reduced to viewing messages in the messenger, but not manually, but using a special application that simulates user actions).
Moxxi studied Cellebrite applications and found critical vulnerabilities there that allowed arbitrary code to be executed when trying to scan specially designed data. The Cellebrite application was also found to be using an outdated ffmpeg library that has not been updated for 9 years and contains a large number of unpatched vulnerabilities. Instead of acknowledging the problems and fixing the problems, Cellebrite has issued a statement that it cares about the integrity of user data, maintains the security of its products at the proper level, releases regular updates and delivers the best applications of its kind.
- The biggest achievement. The award was given to Ilfak Gilfanov, author of the IDA disassembler and Hex-Rays decompiler, for his contribution to the development of tools for security researchers and his ability to keep the product up to date for 30 years.
Source: opennet.ru