$3.2M Awarded for 11 Zero-Day Cloud Vulnerabilities
▼ Summary
– The Zeroday Cloud competition awarded $320,000 for researchers demonstrating critical remote code execution vulnerabilities in cloud infrastructure components.
– The event, hosted by Wiz Research with major cloud providers, saw an 85% success rate across 13 hacking sessions, revealing 11 zero-day vulnerabilities.
– A key vulnerability was a Linux kernel container escape flaw that compromised the isolation between cloud tenants, a core security guarantee.
– Team Xint Code won the event and $90,000 for successfully exploiting Redis, MariaDB, and PostgreSQL, while AI model hacking attempts failed.
– The awarded bounties were only a small portion of the available $4.5 million prize pool, with many eligible product categories seeing no exploits.
A recent cybersecurity competition dedicated to cloud infrastructure has distributed over three hundred thousand dollars in rewards to researchers who successfully uncovered critical security flaws. The inaugural Zeroday Cloud event, organized by Wiz Research with support from major cloud providers Amazon Web Services, Microsoft, and Google Cloud, saw participants demonstrate eleven previously unknown zero-day vulnerabilities. The high success rate of these hacking attempts underscores the persistent and evolving challenges in securing complex cloud environments.
Held in London, the event featured thirteen distinct hacking sessions where researchers achieved an 85% success rate in their attempts. On the first day alone, bounties totaling $200,000 were awarded for successful exploits targeting widely used components like Redis, PostgreSQL, Grafana, and the Linux kernel. The second day added another $120,000 to the prize pool, with further demonstrations against Redis, PostgreSQL, and MariaDB. These database systems are fundamental to cloud operations, often housing sensitive data including user credentials and proprietary secrets.
One of the most significant findings involved a container escape vulnerability within the Linux kernel. This type of flaw is particularly dangerous in cloud contexts, as it can allow an attacker to break the isolation between different tenants, directly challenging a foundational principle of cloud security. Cybersecurity firms Zellic and DEVCORE were recognized for this discovery, receiving a combined award of $40,000.
While the event focused on traditional cloud infrastructure, it also explored emerging frontiers. Participants made attempts to compromise AI inference servers, specifically targeting the vLLM and Ollama platforms. A successful attack here could have led to the exposure of private AI models, training datasets, and sensitive prompts. However, these particular attempts were ultimately unsuccessful, failing to complete within the allotted time constraints of the competition.
The overall champion of the event was Team Xint Code, which secured the title by demonstrating exploits against Redis, MariaDB, and PostgreSQL. Their three successful hacks earned them a substantial $90,000 prize, the highest single bounty awarded during the competition. Despite these significant payouts, the total amount distributed represents only a small portion of the available incentive pool. The event offered a staggering $4.5 million in potential prizes for a broader range of targets.
This gap highlights areas where security research may need further focus. Several important product categories saw no successful exploits during the event. The untouched list includes AI and machine learning tools like the Nvidia Container Toolkit, orchestration platforms such as Kubernetes and Docker, popular web servers including nginx and Apache Tomcat, and critical development and operations software like Jenkins and GitLab CE. The absence of demonstrated vulnerabilities in these systems does not imply they are secure, but rather points to potential complexities that may require more dedicated research effort in the future.
(Source: Bleeping Computer)