Pwn2Own Hack Challenge Uncovers Critical Flaws in VMware and Microsoft

By Netvora Tech News

---

During the second day of the Pwn2Own hack challenge in Berlin, researchers demonstrated unknown vulnerabilities that allow them to compromise VMware ESXi and Microsoft SharePoint. The exploits have yet to be patched. The researchers were rewarded with $150,000 and $100,000 for respectively demonstrating the security flaws. Pwn2Own is an annual event where researchers are incentivized to demonstrate unknown vulnerabilities in widely used products and services. The event features different categories, including browsers, containers, virtualization software, business applications, server software, operating systems, and even a Tesla Model 3/Y. The presented competition schedule reveals that the biggest targets chosen by researchers were VMware ESXi and Microsoft SharePoint. A researcher from security firm STARLabs SG demonstrated an integer overflow attack to compromise ESXi. ESXi, part of VMware's vSphere, is a "bare metal hypervisor" for virtualizing operating systems. The virtualization software is installed directly on a server and can then load the virtualized operating system. According to security firm Zero Day Initiative, which organizes the event, it is the first time an exploit of this kind has been demonstrated during Pwn2Own. Two other researchers, including one from Viettel Cyber Security, combined two vulnerabilities to compromise a Microsoft SharePoint server. Details are now being shared with VMware and Microsoft so that updates can be developed. Tomorrow is the final day of Pwn2Own Berlin, where researchers will demonstrate vulnerabilities against Mozilla Firefox, Oracle VirtualBox, VMware Workstation, and once again against VMware ESXi.