Researchers discovered a vulnerability in the VirusTotal platform that might have allowed attackers to use it to get remote code execution (RCE) on unpatched third-party sandboxing computers with antivirus engines.
VirusTotal flawed
According to Cysource researchers, the flaw allowed it possible to perform instructions remotely within VirusTotal platform and obtain access to its numerous scans capabilities.
VirusTotal, a malware-scanning service run by Google’s Chronicle security industry, analyses suspicious files and URLs and tests for viruses using more than 70 third-party antivirus software.
How access was acquired
The attack method involved uploading a DjVu file through the platform’s web user interface. When passed to multiple third-party malware scanning engines, could trigger an exploit for a high-severity remote code execution flaw in ExifTool. This is an open-source utility for reading and editing EXIF metadata information in image and PDF files.
The high-severity vulnerability in question is CVE-2021-22204 (CVSS score: 7.8), and it is a case of arbitrary code execution caused by ExifTool’s mishandling of DjVu files. The problem was fixed in a security update provided on April 13, 2021 by the project’s maintainers.
According to the researchers, a reverse shell was granted to impacted PCs linked to some antivirus engines that had not yet been patched for the remote code execution vulnerability as a result of such an exploitation.
The vulnerability does not affect VirusTotal, its founder Bernardo Quintero, verified that this is the intended behavior in a statement published. The code executions are not in the platform itself, but in the third-party scanning systems that analyse and execute the samples. The company also stated that it is utilising an ExifTool version that is not affected by the issue.
This isn’t the first time the ExifTool vulnerability has been used to gain remote code execution access. Last year, GitLab patched a severe bug (CVE-2021-22205, CVSS score: 10.0) that allowed arbitrary code execution due to poor validation of user-provided pictures.
Want to read more? Another article is available here!.
