We’ve successfully orbited our star once more and are full throttle into the new year. Before we roll too fast into 2024, let’s pause for a moment and look back at some of the highlights of the past year.
A Year of Pwn2Own Competitions
Back in January, we announced our first-ever Pwn2Own Automotive competition in Tokyo, and now we’re just a couple of weeks from that event. We already have several registrations, so I can’t wait to see what exploits researchers put on display.
In February, we held Pwn2Own Miami, which focuses on industrial control systems (ICS) and SCADA targets. During that event, we saw the debut of ChatGPT in the competition. We also awarded over $150,000 for 27 unique 0-day vulnerabilities.
In March, we returned to Vancouver for the original edition of Pwn2Own. The highlight of the event saw the team from Synacktiv exploit the Tesla Model 3 head unit on their way to winning $350,000 (and the Tesla Model 3 itself). We used the head unit instead of the car itself because we were concerned the exploits may cause the vehicle to move uncontrollably. Safety first. In total, we awarded $1,035,000 during the three-day contest.
In October, Pwn2Own Toronto turned its attention to devices commonly found in homes and small offices. We added wired and Wi-Fi cameras to the event this year to see what security problems they may have, and our contestants did not disappoint our curiosity. One team hacked a camera by showing it a QR code. Another was able to exploit any camera provided he knew the MAC address. Probably most impressively, the Synacktiv team returned to target the cameras with a remote attack over Wi-Fi that exploited a kernel buffer overflow. They just needed to be within range of a vulnerable camera to completely control it. We awarded $938,250 in total during the event.
Combine those events, and you’ll find we paid out $2,126,750 for Pwn2Own competitions during 2023. With the Automotive event looking like it will be an exciting show, we’ll likely pay out even more in 2024.
A Few Bugs of Renown
There were so many good bugs in 2023, that it’s hard to narrow it down to just a few. I would if I didn’t mention the Activation Context Cache Poisoning privilege escalation discovered by ZDI researcher Simon Zuckerbraun. It won a Pwnie Award for Most Under-Hyped Research. There was also ZDI-23-233/CVE-2023-27350. That PaperCut exploit showed why patch management is so important as it caused quite a bit of damage – after the patch was available. But perhaps my favorite bug of the year was found in the Schneider Electric APC Easy UPS Online. ZDI-23-444/CVE-2023-29411 is an authentication bypass. The “system” RMI interface exposes the method `updateManagerPassword(String managerPassword)` which allows an unauthenticated user to update the administrative password without requiring a password. Neat!
By the Numbers
In 2023, the ZDI published 1,913 advisories – the most ever in the history of the program. This is the fourth year in a row that eclipsed our previous record. While it’s unlikely we’ll keep up a record-breaking pace for a fifth year in a row, it does speak to the overall health of the program. Of course, I said that last year as well. While we do work with people from around the world, our own researchers had their busiest year ever, too. Just over 49.4% of all published advisories were reported by ZDI vulnerability analysts. Here’s how those numbers of advisories stack up year-over-year.
Coordinated disclosure of vulnerabilities continues to be a priority for our program, and it continues to be a success as well. While 2020 saw our largest percentage of 0-day disclosures, the number declined over the next two years. However, this year saw an increase to 198 cases – just over 10% of the total disclosures.
Here’s a breakdown of advisories by vendor. The top vendors should not surprise many, but it is interesting to see Adobe that far ahead of everyone else. If you exclude the XSS bugs patched in December, our program is responsible for over 78% of Adobe bugs fixed last year. Not too shabby. Of course, Microsoft remains a popular target for our researchers as well. Just over 20% of the bugs patched by the Redmond giant came through the ZDI. D-Link stormed up the charts in 2023 with 176 advisories. And PDF parsing remains a security challenge for vendors beyond just Adobe. Foxit, Kofax, and PDF-XChange all had a significant number of file parsing bugs reported by ZDI.
We’re always looking to acquire impactful bugs and, looking at the CVSS scores for the advisories we published in 2023, we did just that. A total of 73% of these vulnerabilities were rated Critical or High severity.
When it comes to the types of bugs we’re buying, here’s a look at the top 10 Common Weakness Enumerations (CWEs) from 2023:
It’s interesting to see deserialization bugs crack the top 10. It’s also interesting to see stack-based buffer overflows rank above OOB Write bugs.
Looking Ahead
Moving into the new year, we anticipate staying just as busy – especially in the first quarter. We currently have more than 500 bugs reported to vendors awaiting disclosure. We have Pwn2Own Automotive and Pwn2Own Vancouver just on the horizon. Don’t worry if you can’t attend in person. We’ll be streaming and posting videos of the event to just about every brand of social media available.
We’re also looking to update our website and blog at some point this year. I know – I said that last year as well. When that occurs, I promise you’ll be able to choose between a light and dark theme. We’re aware our website doesn’t look the best on certain platforms. We’ll also be expanding our video offerings, too. I’ll continue offering the Patch Report on Patch Tuesdays and hope to tweak the format a bit in the coming year.
As always, we look forward to refining our outreach and acquisition efforts by further aligning with the risks our customers are facing to ensure the bugs we squash have the biggest impact on our customers and the broader ecosystem. In other words, 2024 is shaping up to be another exciting year with impactful research, great contests, and real information you can use. We hope you come along for the ride. Until then, be well, stay tuned to this blog, subscribe to our YouTube channel, and follow us on Twitter, Mastodon, LinkedIn, or Instagram for the latest updates from the ZDI.