The Black Hat USA 2023 conference announced the winners of the annual Pwnie Awards 2023, highlighting the most significant vulnerabilities and absurd failures in computer security. The Pwnie Awards are considered the equivalent of the Oscars and the Golden Raspberry in computer security.
Main winners:
• Better privilege escalation vulnerability. The victory was awarded to the USB Excalibur vulnerability (CVE-2022-31705) in the USB controller implementation used in VMware ESXi, Workstation and Fusion virtualization products. The vulnerability allows access to the host environment from the guest system and execute code with the rights of the VMX process. Among the nominees, there is a series of vulnerabilities in the Linux kernel associated with the use of the insecure container_of() macro.
• Better remote code execution vulnerability. The victory was awarded to a vulnerability (CVE-2023-20032) in the free anti-virus package ClamAV that allows code execution when scanning files with specially designed disk images in HFS+ format (for example, when scanning files extracted from emails on a mail server). Among the nominees, vulnerabilities in the Checkmk monitoring system and the Windows load balancer (CVE-2023-28240) were mentioned.
• The best cryptographic attack. Awarded for identifying the most significant flaws in real systems, protocols, and encryption algorithms. The victory was won by a method of attacks through third-party channels, which allows remotely recovering the values of encryption keys based on the ECDSA and SIKE algorithms through video analysis from a camera that records the LED indicator of a smart card reader or a device connected to the same USB hub with a smartphone that performs operations with the key. The nominees also included encryption issues that compromise end-to-end encryption in many Matrix clients.
• Most innovative research. The victory was awarded to a study that showed the possibility of using the Apple Lightning connector to access the iPhone's JTAG debugging interface and gain full control over the device. The nominees also included the Downfall attack on Intel CPUs and an analysis of the use of the Rowhammer attack method on DRAM memory to create unique identifiers.
• The most underrated study. The winning study by a Trendmicro employee identified a new class of vulnerabilities in Windows CSRSS that allow privilege escalation through activation context cache poisoning. Among the nominees are vulnerabilities affecting almost all Mobile-as-a-Gateway (MaaG) IoT devices, as well as vulnerabilities in the Renderdoc debugger caused by integer overflow and an error when working with symbolic links.
• The biggest failure (Most Epic FAIL). The award was received by the US Transportation Security Administration, which forgot to restrict access to the publicly available Elasticsearch repository, which, among other things, contained a list of people who were not allowed on airplanes (No Fly List).
• Best bug in client software. The winner was the CVE-2022-22036 vulnerability in the Performance Counters mechanism, which allows you to elevate your privileges on the Windows platform.
• Lamest Vendor Response. Nomination for the most inappropriate response to a vulnerability report in one's own product. The victory was awarded to Threema, which capriciously reacted to the security analysis of the company's "secure" messenger protocol and did not consider the identified critical problems serious.
• The biggest achievement. The award went to Clement Lecigne of the Google Threat Analysis Group for his work identifying 33 0-day vulnerabilities used to attack Chrome, iOS and Android.
Main winners:
• Better privilege escalation vulnerability. The victory was awarded to the USB Excalibur vulnerability (CVE-2022-31705) in the USB controller implementation used in VMware ESXi, Workstation and Fusion virtualization products. The vulnerability allows access to the host environment from the guest system and execute code with the rights of the VMX process. Among the nominees, there is a series of vulnerabilities in the Linux kernel associated with the use of the insecure container_of() macro.
• Better remote code execution vulnerability. The victory was awarded to a vulnerability (CVE-2023-20032) in the free anti-virus package ClamAV that allows code execution when scanning files with specially designed disk images in HFS+ format (for example, when scanning files extracted from emails on a mail server). Among the nominees, vulnerabilities in the Checkmk monitoring system and the Windows load balancer (CVE-2023-28240) were mentioned.
• The best cryptographic attack. Awarded for identifying the most significant flaws in real systems, protocols, and encryption algorithms. The victory was won by a method of attacks through third-party channels, which allows remotely recovering the values of encryption keys based on the ECDSA and SIKE algorithms through video analysis from a camera that records the LED indicator of a smart card reader or a device connected to the same USB hub with a smartphone that performs operations with the key. The nominees also included encryption issues that compromise end-to-end encryption in many Matrix clients.
• Most innovative research. The victory was awarded to a study that showed the possibility of using the Apple Lightning connector to access the iPhone's JTAG debugging interface and gain full control over the device. The nominees also included the Downfall attack on Intel CPUs and an analysis of the use of the Rowhammer attack method on DRAM memory to create unique identifiers.
• The most underrated study. The winning study by a Trendmicro employee identified a new class of vulnerabilities in Windows CSRSS that allow privilege escalation through activation context cache poisoning. Among the nominees are vulnerabilities affecting almost all Mobile-as-a-Gateway (MaaG) IoT devices, as well as vulnerabilities in the Renderdoc debugger caused by integer overflow and an error when working with symbolic links.
• The biggest failure (Most Epic FAIL). The award was received by the US Transportation Security Administration, which forgot to restrict access to the publicly available Elasticsearch repository, which, among other things, contained a list of people who were not allowed on airplanes (No Fly List).
• Best bug in client software. The winner was the CVE-2022-22036 vulnerability in the Performance Counters mechanism, which allows you to elevate your privileges on the Windows platform.
• Lamest Vendor Response. Nomination for the most inappropriate response to a vulnerability report in one's own product. The victory was awarded to Threema, which capriciously reacted to the security analysis of the company's "secure" messenger protocol and did not consider the identified critical problems serious.
• The biggest achievement. The award went to Clement Lecigne of the Google Threat Analysis Group for his work identifying 33 0-day vulnerabilities used to attack Chrome, iOS and Android.
