![The Edge Logo The Edge Logo](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt530eb1f4e672eb44/653a71690e92cc040a3e9d6d/Dark_Reading_Logo_TheEdge_0.png?width=700&auto=webp&quality=80&disable=upscale)
Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
Presenting the 2021 PWNIE Award Winners
The list of 2021 PWNIE Award winners includes security researchers behind some of the biggest vulnerabilities discoveries over the past year.
August 10, 2021
![Logo of Pwnie Awards with black My Little Pony Logo of Pwnie Awards with black My Little Pony](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltc8c38439ce75ed3d/64f1509009cfa4458e12c1a9/1PwnieAwards2021.jpg?width=700&auto=webp&quality=80&disable=upscale)
Pwnies.com
The annual PWNIE Awards at Black Hat recognize security researchers, vendors, and others — including media outlets — that had some kind of impact on the cybersecurity industry over the previous 12 months.
Past awards have been awarded as a tribute from the community to those who made a meaningful contribution to make things better in the industry, but have also been used to rebuke those who had the opposite effect because of their security failures. The 2021 PWNIEs call out organizations that could have done more to address security issues, and also includes researchers whose bug discoveries and exploits made the news during the year or whose work opened fresh insights into vulnerability research and attack techniques. For the second year running, the awards recognized research that did not receive as much attention as it should have.
The following lists PWNIE Award winners for 2021 across nine categories. The tenth category, for Best Song, is not included on this list, but here’s The Ransomware Song for those who want to listen along as they peruse the winners.
Winner: Ilfak Guilfanov
Ilfak Guilfanov, author of the IDA binary code analysis tool and founder and CEO of Hex-Rays, got the nod from the judges in this category — reserved for researchers, attackers, defenders, journalists, and pretty much anybody who's made a big impact on the industry.
"Ilfak’s impact in vulnerability research should be obvious," the PWNIE award citation said. "IDA and Hex-Rays have had an epic impact on the security landscape and the thirty-year history of driving the field forward is unprecedented."
Nominees in this category included four researchers from VU Amsterdam’s VUSec group for discovering a new form of speculative execution attack on Intel processors called Floating Point Value Injection. Jiashui Wang, founder and the head of Ant Group Light-Year Security Lab, was also recognized for leading breakthrough research in various fields, including browser security, system security, and software supply chain security.
Winner: Heap-based buffer overflow in Sudo
Researchers from Qualys snagged the award in this category for discovering a critical 10-year-old vulnerability (CVE-2021-3156) in sudo, a utility present in nearly all Linux and Unix-based operating systems. The buffer overflow vulnerability basically gave unauthenticated attackers a way to gain root-level privileges on a vulnerable host. It impacted versions of the utility going back to at least 2011.
"This bug is unique as it couldn’t be fuzzed out and required knowledge of how the system interacts with sudo, making it a very clever find," the PWNE award description said.
There were a total of 10 nominations in this category. Other nominees for best privilege-escalation bug included Windows Print Spooler bug (CVE-2020-1048). the Mangkhut exploit chain CVE (CVE-2020-0423), and Sequoia (CVE-2021-33909), a critical Linux vulnerability.
Winner: ProxyLogon (CVE-2021-26855) and other vulnerabilities in Microsoft Exchange Server
The award in this category, somewhat unsurprisingly, went to Orange Tsai and the research team at Devcore for their discovery early this year of ProxyLogon (CVE-2021-26855) and six other critical vulnerabilities in Microsoft Exchange Server. The vulnerabilities sparked widespread concern because of the sheer number and criticality of the systems they impacted and for the fact they were widely exploited by a China-based advanced persistent threat actor before patches became available for them.
"Microsoft Exchange Server was in vogue this spring, sporting not only critical vulnerabilities, such as ProxyLogon, but also a whole new attack surface," the PWNIE award citation said.
The new attack surface results from a fundamental change in architecture with Exchange Server 2013. "In this fundamental change of architecture, quite an amount of design debt was incurred, and, even worse, it introduced inconsistencies between contexts."
Other vulnerabilities nominated in this category were the PrintNightmare flaw (CVE-2021-34527) in the Windows Print Spooler Server, a remote use-after-free bug in Windows kernel HTTP server (CVE-2021-31166), and a remote code execution vulnerability in Qmail (CVE-2005-1513).
Winner: NSA/(CVE-2020-0601)
This award is reserved for the most impactful cryptographic attack against a real-world system. One of the key requirements for inclusion in this category is that while the attack might be complex to understand, its impact must be obvious and pulling it off should not require a data center’s worth of systems.
Checking off all these boxes was the US National Security Agency (NSA) for its discovery of a certificate validation vulnerability in Windows' cryptographic functionality. The vulnerability gives attackers a way to bypass "trusted network connections and deliver executable code while appearing as legitimately trusted entities," the NSA said.
"This is the first time a crypto bug had real world impact, and NSA disclosed it through the vulnerability equities process (VEP)," the PWNIE citation noted.
The two other nominations in this category were Minerva — a group of side-channel vulnerabilities in certain implementations of the ECDSA algorithm — and CVE-2020-27020 in Kaspersky Password Manager.
Winner: Speculative Probing: Hacking Blind in the Spectre Era
The award for the most interesting and innovative research went to a team of five researchers from VUSec for their work on what is known as a blind return-oriented programming (BROP) attacs. Their research showed that such speculative probing attacks — contrary to previous perception — are feasible against easily crashable but high-value targets such as the Linux kernel.
"The BlindSide attack shows that an attacker armed with a single memory corruption vulnerability in the Specter era can ‘hack blind’ without triggering even a single crash," the PWNIE citation for the award noted.
Other nominations for this category included research into the root causes for speculative execution attacks and research showing that Spectre mitigations for the Linux kernel are not as effective as originally perceived.
Winner: PrintNightmare (CVE-2021-34527)
Microsoft won the award in this category for its struggles addressing the so-called PrintNightmare vulnerability (CVE-2021-34527) in the Windows Spooler Service earlier this year. The bug, one of many researchers have discovered in the Spooler Service over the years, allowed authenticated attackers to execute arbitrary code and other malicious actions on vulnerable systems. The flaw attracted wide attention because it impacted almost all Windows systems, including Active Directory servers and critical domain controllers. Microsoft itself has described PrintNightmare as a separate and distinct flaw from another one in Windows Spooler service that it patched in May. But some security researchers have noted the company initially just treated and patched the flaw as a local privilege-escalation issue and then had to rush out another patch when it turned out the flaw was remotely executable.
"Microsoft tried to fix it but failed. Then tried again to fix it but failed. They’re hopefully still trying," the PWNIE citation said.
The epic-fail category had a total of seven nominations. Others that made the list of shame included Netgear, Crest/NCC Group, Samsung, and Voatz.
Winner: Exploiting Samsung Secure Chip (CVE-2020-28341)
Security researcher Gunnar Alendal, a Ph.D. candidate at the Norwegian University of Science and Technology, won the award in this category for showing how attackers could completely compromise all the security protections offered by supposedly unbreakable hardware security modules present on modern mobile devices. At Black Hat USA 2021, Alendal presented a remote attack on a secure chip that Samsung introduced on its Galaxy S20 and Note 20 devices.
"Samsung Galaxy S20 got a secure chip hacked by a single dude, completely killing the chip security and exposing all its code and secrets," the PWNIE award citation read. "The exploit can write persistent changes to the firmware and completely ruin the future trust in this CC EAL 5+ certified chip."
A total of five other bugs were nominated to this category. Among them were CVE-2020-8695, a bug that gives attackers a way to access secrets from SGX enclaves on modern CPUs, and CVE-2021-1748, a sandbox-escape bug.
Winner: 21 Nails
While some bugs receive a high level of attention — think PrintNightmare and ProxyLogon — other serious vulnerabilities receive considerably less attention because they cannot be easily fixed or found, among other reasons. A set of 21 vulnerabilities in the Exim mail transfer agent in major Unix-like operating systems earned researchers from Qualys a win in this category. The Qualys researchers discovered the 21 vulnerabilities during a code audit of Exim last year. They found 10 of the flaws to be remotely exploitable — with some enabling root level access — while 11 were locally exploitable. Some 4 million Exim servers are exposed to the Internet, Qualys had noted at the time it announced the flaws in May. Some of these bugs were considered unexploitable, but they made them so. Most of the bugs discovered have existed since the beginning of the Exim project.
A supply chain attack on Composer, a tool in the PHP ecosystem, and research showing Windows 7 to be vulnerable to a type of threat known as full-blind TCP/IP hijacking attack were two other nominations in this category.
Winner: Cellebrite
Cellebrite, the vendor of an app used widely by authoritarian governments around the world to physically extract data from mobile devices, topped four other nominees — including Apple and Peloton — to win the award in this category. The company's dubious claim to fame stemmed from its response — or lack thereof — to the discovery of multiple serious vulnerabilities in its software by Matthew Rosenfeld, aka Moxie Marlinspike, the creator of the Signal app. Among the multiple avenues for exploitation he discovered was one that made it possible for an attacker to completely modify the reports that Cellebrite's software generated when it is used to scan a mobile device.
"We are of course willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future," Rosenfield said.
Winner: Cellebrite
Cellebrite, the vendor of an app used widely by authoritarian governments around the world to physically extract data from mobile devices, topped four other nominees — including Apple and Peloton — to win the award in this category. The company's dubious claim to fame stemmed from its response — or lack thereof — to the discovery of multiple serious vulnerabilities in its software by Matthew Rosenfeld, aka Moxie Marlinspike, the creator of the Signal app. Among the multiple avenues for exploitation he discovered was one that made it possible for an attacker to completely modify the reports that Cellebrite's software generated when it is used to scan a mobile device.
"We are of course willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future," Rosenfield said.
The annual PWNIE Awards at Black Hat recognize security researchers, vendors, and others — including media outlets — that had some kind of impact on the cybersecurity industry over the previous 12 months.
Past awards have been awarded as a tribute from the community to those who made a meaningful contribution to make things better in the industry, but have also been used to rebuke those who had the opposite effect because of their security failures. The 2021 PWNIEs call out organizations that could have done more to address security issues, and also includes researchers whose bug discoveries and exploits made the news during the year or whose work opened fresh insights into vulnerability research and attack techniques. For the second year running, the awards recognized research that did not receive as much attention as it should have.
The following lists PWNIE Award winners for 2021 across nine categories. The tenth category, for Best Song, is not included on this list, but here’s The Ransomware Song for those who want to listen along as they peruse the winners.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024