The results of the competition ZeroDay Cloud, held at the Black Hat Europe conference and aimed at identifying vulnerabilities in open source software used in cloud environments. During the event, 11 previously unknown vulnerabilities in Redis, PostgreSQL, MariaDB, the Linux kernel and Grafana were demonstrated. The amount of rewards paid was $320 thousand, with a total declared prize fund of $4.5 million.
According to the rules of the competition, participants had to demonstrate working exploits that used previously unknown vulnerabilities (0-day). In the “virtualization” category, exploits should allow one to go beyond an isolated container or virtual machine, and in other categories they should lead to remote execution of their code. The settings of the hacked applications were posted on GitHub.
Attacks demonstrated:
- Five attacks on the Redis DBMS that led to remote code execution with authenticated access (five $30 awards 000).
- Three attacks on the PostgreSQL DBMS, which led to remote code execution with authenticated access (three awards of $30,000).
- An attack on the MariaDB DBMS, which led to remote code execution with authenticated access (three awards of $30,000).
- Remote code execution in the Grafana data visualization platform
with authenticated access to the interface ($10,000). - An attack on the Linux kernel, which made it possible to escape from an isolated container in Ubuntu ($40,000).
- Two attempts to attack vLLM and Ollama were unsuccessful, since the participants could not meet the allotted time.
Team Xint Code, which carried out successful attacks on Redis, was declared the winner. PostgreSQL and MariaDB, and earned 90 thousand dollars. It is noteworthy that the vulnerabilities demonstrated by Team Xint Code were identified using the AI analyzer Xint Code.
The largest prize of $300 thousand, assigned for hacking nginx, remained unclaimed, as well as a prize of $100 thousand, proposed for hacking Apache Tomcat, Redis, PostgreSQL and MariaDB with unauthenticated access.
Applications were also not received for hacking Docker, Containerd, Envoy, Caddy, NVIDIA Container Toolkit, Kubernetes API Server, Kubelet Server, Prometheus, Fluent Bit, Apache Airflow, Jenkins and GitLab CE.
Details about the nature of the vulnerabilities have not yet been reported. In accordance with the terms of the competition, detailed information about all demonstrated vulnerabilities was transferred to the developers of problematic projects and will be published after the manufacturers release updates that eliminate the vulnerabilities.