- 6 August 2021 11:54
Qualys Wins Two Pwnie Awards - Best Privileged Escalation Bug and Most Under-Hyped Research
Honor highlights value the Qualys Research Team brings to the cybersecurity community at large
Qualys, Inc. (NASDAQ: QLYS), a pioneer and leading provider of cloud-based security and compliance solutions, today announced that its renowned research team won two Pwnie Awards at Black Hat USA 2021: Best Privilege Escalation Bug for CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit), and Most Under-Hyped Research for 21Nails. These awards honor the team for its cutting-edge research, discovery and responsible disclosure of new and critical vulnerabilities in popular software applications.
In a world where bad actors are becoming increasingly sophisticated, and almost weekly, discover and exploit vulnerabilities in widely used programs – research teams serve an incredibly vital purpose in protecting IT infrastructure and critical data. Qualys is committed to enabling its research team to conduct state-of-the-art research and identify vulnerabilities in popular applications before attackers find and maliciously exploit them.
The critical disclosures behind the award wins:
• Best Privilege Escalation Bug: Heap-based buffer overflow in Sudo (Baron Samedit) is a heap-based buffer overflow vulnerability discovered in Sudo, a ubiquitous Unix program, exploitable by any local user, without authentication.
• Most Under-Hyped Research: 21Nails were multiple critical vulnerabilities discovered in the Exim mail server, some of which can be chained together to obtain full remote unauthenticated code execution and gain root privileges.
The discovery of these vulnerabilities results from extremely thorough source code audits of each of these applications over a period of multiple months. These vulnerabilities were exceedingly difficult to find and, in some cases, deemed unexploitable. However, the Qualys Research Team was able to prove that these vulnerabilities were indeed exploitable and provide patches for them. Simultaneously, Qualys was able to prove that these vulnerabilities have been lurking in the code base for decades – adding to the disclosures’ levels of significance.
“Day in and day, out cybercriminals launch sophisticated attacks to discover assets connecting to your environment and exploit your ever-increasing attack surface. Defending against such attacks is what drives the Qualys Research Team,” said Mehul Revankar, vice president of Product Management & Engineering, VMDR at Qualys. “As part of our research process, we routinely investigate weaknesses in software packages that could lead to a compromise and responsibly disclose them to vendors to quickly resolve them; all to allow customers and any affected organization to mitigate threats and prioritize and facilitate an effective response.”
“Security research is in our DNA. Qualys recognizes the criticality of this program and prioritizes conducting research to find vulnerabilities before attackers do,” said Sumedh Thakar, president and CEO of Qualys. “We are honored to have received five Pwnie award nominations this year and thrilled to win in the Best Privileged Escalation and Most Under-Hyped Research categories.”
About the Pwnie Awards 2021
The Pwnie Awards are an annual recognition celebrating the achievements of security researchers and the security community. Nominations are taken from the security community at large, and a panel of respected security researchers reviewed the Active Nominations and announced winners in each category at Black Hat USA 2021.
The Qualys Research Team
The Qualys Research team engages in innovative vulnerability research helping customers discover and remediate critical vulnerabilities across their digital infrastructure. Qualys has multiple open positions within its research team. If you are a security researcher looking for new opportunities, we invite you to apply to open research and engineering positions worldwide.
• To learn more about The Qualys Research Team’s work, visit qualys.com/research/security-advisories
• Read about the Qualys Pwnie Award 2021 win blog
• Follow Qualys on LinkedIn and Twitter
Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of disruptive cloud-based IT, security and compliance solutions with over 19,000 active customers in more than 130 countries, including a majority of each of the Forbes Global 100 and Fortune 100. Qualys helps organizations streamline and consolidate their security and compliance solutions in a single platform and build security into digital transformation initiatives for greater agility, better business outcomes, and substantial cost savings.
The Qualys Cloud Platform and its integrated Cloud Apps deliver businesses critical security intelligence continuously, enabling them to automate the full spectrum of auditing, compliance, and protection for IT systems and web applications across on premises, endpoints, cloud, containers, and mobile environments. Founded in 1999 as one of the first SaaS security companies, Qualys has established strategic partnerships with leading cloud providers like Amazon Web Services, Microsoft Azure and the Google Cloud Platform, and managed service providers and consulting organizations including Accenture, BT, Cognizant Technology Solutions, Deutsche Telekom, DXC Technology, Fujitsu, HCL Technologies, IBM, Infosys, NTT, Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also a founding member of the Cloud Security Alliance. For more information, please visit www.qualys.com.
Qualys and the Qualys logo are proprietary trademarks of Qualys, Inc. All other products or names may be trademarks of their respective companies.