Animesh JainQUALYSBLOG:8A2B26102098E31C5F8E392A55929F58Qualys Research Nominated for Pwnie Awards 2021
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
The Qualys Research team has been nominated for five Pwnie Awards this year in three different categories. In addition to nominations for Best Privilege Escalation Bug (2 nominations) and Best Server-Side Bug (2 nominations), the team is also nominated for Most Under-Hyped Research.
Qualys is honored for the second time in a row after being nominated for five Pwnie Awards in 2020.
The Pwnie Awards are an annual recognition celebrating the achievements of security researchers and the security community. Nominations are taken from the security community at large, and a panel of respected security researchers are reviewing the Active Nominations and will announce winners in each category at Black Hat USA 2021 on August 4, 2021 at 5:30pm PT.
The Qualys Research team is nominated in these categories:
Best Privilege Escalation Bug
Heap-based buffer overflow in Sudo!
A heap-based buffer overflow vulnerability was discovered in Sudo and is exploitable by any local user (normal users and system users, sudoers and non-sudoers), without authentication (i.e., the attacker does not need to know the user's password). Read more
Sequoia: A deep root in Linux’s filesystem layer
The Qualys Research Team discovered a size_t-to-int type conversion vulnerability in the Linux Kernel’s filesystem layer affecting most Linux operating systems. Any unprivileged user can gain root privileges on a vulnerable host by exploiting this vulnerability in a default configuration. Read more
Best Server-Side Bug
21Nails (too many to list)
Multiple critical vulnerabilities were discovered in the Exim mail server, some of which can be chained together to obtain full remote unauthenticated code execution and gain root privileges. Read more
15 years later: Remote Code Execution in qmail (CVE-2005-1513)
In 2005, three vulnerabilities were discovered in qmail but were never fixed because they were believed to be unexploitable in a default installation. We recently re-discovered these vulnerabilities and were able to exploit one of them remotely in a default installation. Read more
Most Under-Hyped Research
21 Nails
Multiple critical vulnerabilities were discovered in the Exim mail server, some of which can be chained together to obtain full remote unauthenticated code execution and gain root privileges. Read more
Join Our Research Team
The Qualys Research team engages in innovative vulnerability research and has multiple open positions within our vulnerability research team. If you are a security researcher looking for new opportunities, we invite you to apply for our open research and engineering positions worldwide.
Related
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C