Pwnie Awards 2023
During the Black Hat USA 2023 conference which was held a few days ago (from August 5 to August 10, at the Mandalay Bay Convention Center, in Las Vegas) the announcement of the list of winners of the annual awards Pwnie Awards 2023
For those who are unaware of the Pwnie Awards, you should know that it isand is a prominent event, in which the participants reveal the most significant vulnerabilities and absurd failures in the field of computer security.
The Pwnie Awards recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations collected from the information security community.
The awards are presented annually at the Black Hat Security Conference and they are considered as a counterpart to the Oscar and Golden Raspberry awards in computer security.
Pwnie Awards 2023 Winners List
Best desktop vulnerability
The winner was vulnerability CVE-2022-22036 in the Performance Counters mechanism, which allows you to elevate your privileges in Windows.
Better privilege escalation vulnerability.
The winner was vulnerability USB Excalibur (CVE-2022-31705) in the USB driver implementation used in VMware ESXi, Workstation, and Fusion virtualization products. The vulnerability allows access to the host environment from the guest system and execution of code with the rights of the VMX process.
The best remote execution vulnerability
The winner was vulnerability (CVE-2023-20032) in ClamAV free antivirus that allows code execution when scanning files with specially crafted disk images in HFS+ format (for example, when scanning files extracted from emails in an email). server).
The greatest achievement.
The award went to Clement Lecigne of Google's Threat Analysis Group for his work identifying 33 0 day vulnerabilities used to attack Chrome, iOS, and Android.
The best crypto attack.
The prize was awarded to the attack method that allows to remotely recover the values ​​of the encryption keys by performing the analysis of the LED indicator (of which we share a post here on the blog). Which allows to recover encryption keys based on ECDSA and SIKE algorithms through video analysis of a camera that captures the LED indicator of a smart card reader or a device connected to a USB hub with a smartphone that performs operations with the dongle.
Most Innovative Research.
The victory was won by a study that showed the possibility of using Apple's Lightning connector to access the iPhone's JTAG debugging interface and gain full control over the device.
In this category, it is worth mentioning that they were also nominated, the attack Downfall to Intel CPUs and Centauri, a method based on Rowhammer to generate unique fingerprints
Most Underrated Research
In this category, the winner was a study by a Trendmicro employee that identified a new class of vulnerabilities in Windows CSRSS that allow privilege escalation via activation context cache poisoning.
The biggest failure (Most Epic FAIL).
The award was received by TSA (Transportation Security Administration) USA, which failed to restrict access to Elasticsearch's publicly available repository, which, among other things, contained a No Fly List.
The most lick reaction
Nomination for the most inappropriate response to a vulnerability report in the product itself. The victory went to Threema, who reacted capriciously to the security analysis of the company's "secure" messaging protocol and did not consider critical issues identified as serious.
Finally, if you are interested in being able to know more about it, you can consult the details in the next document in which the details of each case are shared.
It is worth mentioning that on the official Pwnie Awards site, the information shared in the document has not yet been updated and it is only a matter of days for this same information to be displayed. on the website.