An sanar da wadanda suka yi nasara na Pwnie Awards 2021 na shekara-shekara, yana nuna mafi girman raunin rauni da gazawar rashin fahimta a cikin tsaron kwamfuta. Pwnie Awards ana ɗaukarsa daidai da Oscars da Golden Raspberries a fagen tsaro na kwamfuta.
Manyan masu nasara (jerin masu takara):
- Mafi rauni yana haifar da haɓaka gata. An ba da nasarar ga Qualys don gano raunin CVE-2021-3156 a cikin sudo mai amfani, wanda ke ba ku damar samun tushen gata. Rashin lahani ya kasance a cikin lambar don kusan shekaru 10 kuma abin lura ne a cikin wannan gano shi yana buƙatar cikakken bincike na dabaru na amfanin.
- Mafi kyawun kwaro na uwar garken. An ba da lambar yabo don ganowa da cin gajiyar mafi hadaddun fasaha da kwaro mai ban sha'awa a cikin sabis na cibiyar sadarwa. An bayar da wannan nasarar ne saboda gano wani sabon harin da aka kai a kan Microsoft Exchange. Ba a buga bayanai game da duk rashin lahani na wannan aji ba, amma an riga an bayyana bayanai game da raunin CVE-2021-26855 (ProxyLogon), wanda ke ba ku damar cire bayanan mai amfani ba tare da tantancewa ba, da CVE-2021-27065 , wanda ke ba da damar aiwatar da lambar ku akan sabar tare da haƙƙin gudanarwa.
- Mafi kyawun harin cryptographic. An ba da lambar yabo don gano mafi mahimmancin gibi a cikin tsari na ainihi, ladabi da algorithms na ɓoyewa. An ba da lambar yabo ga Microsoft don rashin lahani (CVE-2020-0601) a cikin aiwatar da sa hannu na dijital bisa ga lanƙwasa elliptical, wanda ke ba da damar samar da maɓallai masu zaman kansu bisa maɓallan jama'a. Batun ya ba da izinin ƙirƙirar takaddun shaida na TLS na HTTPS na karya da sa hannun dijital na ƙirƙira waɗanda Windows ta tabbatar da aminci.
- Mafi kyawun bincike har abada. An ba da kyautar ga masu binciken waɗanda suka ba da shawarar hanyar BlindSide don ketare kariyar bazuwar adireshi (ASLR) ta amfani da leaks na tashoshi na gefe sakamakon aiwatar da aiwatar da umarni.
- Babban gazawa (Mafi yawan Epic FAIL). An ba da lambar yabo ga Microsoft don sake sakin gyarar da aka yi akai-akai don raunin PrintNightmare (CVE-2021-34527) a cikin tsarin bugu na Windows wanda ya ba da izinin aiwatar da lambar. Da farko Microsoft ya bayyana matsalar a matsayin na gida, amma sai ya zamana cewa za a iya kai harin daga nesa. Sannan Microsoft ya buga sabuntawa sau hudu, amma duk lokacin da gyara kawai ya rufe wani lamari na musamman kuma masu binciken sun sami sabuwar hanyar kai harin.
- Mafi kyawun kwaro a cikin software na abokin ciniki. Wanda ya ci nasara shine mai binciken wanda ya gano raunin CVE-2020-28341 a cikin amintattun masu aiwatar da cryptoprocessors na Samsung, wanda ya karɓi takardar shaidar tsaro ta CC EAL 5+. Lalacewar ya sa ya yiwu a ketare tsaro gaba ɗaya da samun damar yin amfani da lambar da ke gudana akan guntu da bayanan da aka adana a cikin ɓoye, ketare kullewar allo, da kuma yin canje-canje ga firmware don ƙirƙirar ƙofar baya ta ɓoye.
- Mafi raunin rauni. An ba da lambar yabo ga Qualys don gano jerin raunin ƙusoshi 21 a cikin sabar saƙon Exim, 10 daga cikinsu ana iya amfani da su daga nesa. Masu haɓakawa na Exim sun nuna shakku kan cewa za a iya amfani da matsalolin kuma sun shafe sama da watanni 6 suna haɓaka gyare-gyare.
- Martanin Dillali na Lamest. Zaɓe don mafi ƙarancin isassun amsa ga saƙo game da rauni a cikin samfuran ku. Wanda ya ci nasara shine Cellebrite, kamfani wanda ke ƙirƙirar aikace-aikacen bincike na bincike da kuma fitar da bayanai daga hukumomin tilasta bin doka. Cellebrite bai amsa daidai ba ga rahoton raunin da Moxie Marlinspike, marubucin siginar yarjejeniya ta aiko. Moxey ya fara sha’awar Cellebrite ne bayan da aka buga a kafafen yada labarai na wani rubutu game da samar da wata fasahar da ke ba da damar kutse sakonnin siginar da aka boye, wanda daga baya ya zama na bogi saboda kuskuren fassara bayanan da aka yi a wani labarin a gidan yanar gizon Cellebrite, wanda ya kasance. sannan a cire ("harrin" yana buƙatar samun damar shiga wayar ta zahiri da ikon cire allon kulle, watau an rage shi zuwa duba saƙonni a cikin manzo, amma ba da hannu ba, amma ta amfani da aikace-aikacen musamman wanda ke kwatanta ayyukan mai amfani).
Moxey yayi nazarin aikace-aikacen Cellebrite kuma ya sami munanan lahani a wurin wanda ya ba da damar aiwatar da lambar sabani lokacin ƙoƙarin bincika bayanan ƙira na musamman. An kuma gano aikace-aikacen Cellebrite yana amfani da tsohon ɗakin karatu na ffmpeg wanda ba a sabunta shi ba tsawon shekaru 9 kuma yana ɗauke da adadi mai yawa na rashin lahani. Maimakon yarda da matsalolin da gyara matsalolin, Cellebrite ya ba da sanarwa cewa ya damu da amincin bayanan mai amfani, yana kula da amincin samfuransa a matakin da ya dace, yana fitar da sabuntawa akai-akai kuma yana ba da mafi kyawun aikace-aikacen irinsa.
- Babban nasara. An ba da lambar yabo ga Ilfak Gilfanov, marubucin IDA disassembler da Hex-Rays decompiler, don gudunmawar da ya bayar ga ci gaba da kayan aiki don masu bincike na tsaro da kuma ikonsa na kula da samfurin zamani na shekaru 30.
source: budenet.ru