We’ve successfully orbited our star once more and are full throttle into the new year. We’ve just completed our largest Pwn2Own ever in Toronto and are only six weeks away from Pwn2Own Miami, but before we go too far into 2023, now is a good time to look at some of the numbers and highlights of the past year.
These are a Few of My Favorite Bugs
It’s always great to see the huge number of amazing bugs submitted by independent researchers around the globe, but some really stood out. We’re super thankful for our global community of independent researchers, and we congratulate the 23 researchers to achieve reward levels in 2022. We had five people reach Platinum status, five reach Gold, seven Silver, and six Bronze. The work and submissions from our community of independent researchers are key to our success, and we thank all of them for their continued trust in our program. Of course, there are some particular bugs I wanted to specifically call out. These are not necessarily the best bugs of 2022 – I’m not sure how you could really judge that – but these are some that stand out to me. In no particular order, here are a few of my favorite bugs from last year:
ZDI-22-1655: Microsoft Teams
ZDI-22-1406/ZDI-22-1407: Tesla Model 3
Speaking of Pwn2Own Vancouver, these two bugs were used by the Synacktiv team to compromise the Model 3’s infotainment system. This allowed them to flash the headlights, open the “frunk”, and turn on the wiper blades. And they did it without touching the vehicle. Here’s the video of these bugs in action:
ZDI-22-1690: Linux Kernel
This bug is the lone CVSS 10 advisory we published last year, and the advisory was published towards the end of December. However, the bug was actually patched in August. One of the difficulties in what we do at the ZDI revolves around getting vendors (or open-source maintainers) to let us know when bugs are fixed. This bug is a use-after-free that could result in code execution in the context of the kernel – provided the target is using ksmbd. How many people are running ksmbd? We don’t know either, but probably not millions. For those who are, though, this is a serious bug – and since the patch was released in August, most kernels should have been updated anyway by the time we published our advisory. And for the record, we agree that putting an SMB server in a Linux kernel module is…problematic.
ZDI-22-856: OPC UA .NET Standard
Here’s another bug demonstrated at Pwn2Own. In this case, it was from the Miami edition, which focuses on industrial control systems (ICS) and SCADA. The team of Daan Keuper & Thijs Alkemade from Computest was able to bypass the trusted application check due to a mismatch between the .NET certificate chain validation API and a custom implementation of certificate chain building. This allows an attacker to forge new certificates accepted by the application, with full control over the contents of these certificates. Not only was it one of the most impressive bugs demonstrated at that contest, but it’s also some of the best research ever displayed at any Pwn2Own.
ZDI-22-1624: Microsoft Exchange Server
There are actually 31 advisories with this CVE (CVE-2022-41082), but this was the initial report. There’s already been a mountain of information about these Exchange bugs (including some from our team), so I won’t re-hash the technical details here. What’s really wild to me is that there are still nearly 70,000 unpatched, internet-facing Exchange servers out there. If you’re still running Exchange on-prem, why aren’t you patching it??!? That’s probably something we should investigate in 2023.
Again – these are just a few of my favorites. There are plenty of others I could talk about, including beeping printers to the tune of Mario, multiple Samsung Galaxy hacks, multiple SOHO smash-up winners, a gazillion PDF-related bugs, and so much more.
By the Numbers
In 2022, the ZDI published 1,706 advisories – the most ever in the history of the program. This is the third year in a row that eclipsed our previous all-time record. While it’s unlikely we’ll keep up a record-breaking pace for a fourth year in a row, it does speak to the overall health of the program. Of course, I said that last year as well. While we do work with people from around the world, our own researchers had their busiest year ever, too. Just over 44% of all published advisories were reported by ZDI vulnerability analysts. Here’s how those numbers of advisories stack up year-over-year.
Figure 1 – Published ZDI Advisories Year-Over-Year
Coordinated disclosure of vulnerabilities continues to be a priority for our program, and it continues to be a success as well. While 2020 saw our largest percentage of 0-day disclosures, the number declined in 2021, and further declined last year to just 6% of our overall disclosures – down from the 18.6% high of 2020. This is a positive trend, and we hope it continues moving forward.
Figure 2 – 0-day Disclosures Since 2005
Here’s a breakdown of advisories by vendor. The top vendors should not surprise many, but it is interesting to see Adobe that far ahead of everyone else. Our program is responsible for over 70% of Adobe bugs fixed last year. Not too shabby. Siemens was in the #2 slot last year but fell to #7 in 2023. Bugs in SAP software more than doubled year-over-year to land them in the #5 position on our list. Many enterprises rely on SAP, so finding (and fixing) vulnerabilities in these products is a priority. We purchase quite a few ICS-related bugs throughout the year, and this list reflects that volume. Of course, Microsoft remains a popular target for our researchers as well. Around 15% of the bugs patched by the Redmond giant came through the ZDI.
Figure 3 – Published advisories per vendor for 2022
We’re always looking to acquire impactful bugs and, looking at the CVSS scores for the advisories we published in 2022, we did just that. A total of 76% of these vulnerabilities were rated Critical or High severity.
Figure 4 – CVSS 3.0 Scores for Published Advisories in 2022
When it comes to the types of bugs we’re buying, here’s a look at the top 10 Common Weakness Enumerations (CWEs) from 2022:
Figure 5 – Top 10 CWEs from 2022 Published Advisories
I’d say we had heaps of bugs last year, but that pun may be too bad even for me. Four out of the top five CWEs involve heap manipulation in one form or another. It’s also interesting to see the resurgence of SQL and OS command injection bugs. At least pointer dereferences decreased significantly as compared to 2021, so we got that going for us, which is nice.
Moving into the new year, we anticipate staying just as busy – especially in the first quarter. We currently have more than 750(!) bugs reported to vendors awaiting disclosure. We have Pwn2Own Miami and Pwn2Own Vancouver just on the horizon, plus a significant announcement later this month (no spoilers). Don’t worry if you can’t attend in person. We’ll be streaming and posting videos of the event to just about every brand of social media available.
We’re also looking to update our website and blog at some point this year. When that occurs, I promise you’ll be able to choose between a light and dark theme. I know – it doesn’t look the best on certain platforms. We’ll also be expanding our video offerings, too. I start the Patch Report in September and will continue that through 2023 at least. In the coming year, we’re also looking to expand our program by acquiring bugs with an even bigger impact on our customers and the global community.
We look forward to refining our outreach and acquisition efforts by further aligning with the risks our customers are facing to ensure the bugs we squash have the biggest impact on our customers and the broader ecosystem. In other words, the coming year is shaping up to be another exciting year with impactful research, great contests, and real information you can use. We hope you come along for the ride. Until then, be well, stay tuned to this blog, subscribe to our YouTube channel, and follow us on Twitter, Mastodon, LinkedIn, or Instagram for the latest updates from the ZDI.