VirusTotal Breached Shockingly Easily

Researchers discovered a vulnerability in the VirusTotal platform that might have allowed attackers to use it to get remote code execution (RCE) on unpatched third-party sandboxing computers with antivirus engines.

VirusTotal flawed

According to Cysource researchers, the flaw allowed it possible to perform instructions remotely within VirusTotal platform and obtain access to its numerous scans capabilities.

VirusTotal, a malware-scanning service run by Google’s Chronicle security industry, analyses suspicious files and URLs and tests for viruses using more than 70 third-party antivirus software.

How access was acquired

The attack method involved uploading a DjVu file through the platform’s web user interface. When passed to multiple third-party malware scanning engines, could trigger an exploit for a high-severity remote code execution flaw in ExifTool. This is an open-source utility for reading and editing EXIF metadata information in image and PDF files.

The high-severity vulnerability in question is CVE-2021-22204 (CVSS score: 7.8), and it is a case of arbitrary code execution caused by ExifTool’s mishandling of DjVu files. The problem was fixed in a security update provided on April 13, 2021 by the project’s maintainers.

According to the researchers, a reverse shell was granted to impacted PCs linked to some antivirus engines that had not yet been patched for the remote code execution vulnerability as a result of such an exploitation.

The vulnerability does not affect VirusTotal, its founder Bernardo Quintero, verified that this is the intended behavior in a statement published. The code executions are not in the platform itself, but in the third-party scanning systems that analyse and execute the samples. The company also stated that it is utilising an ExifTool version that is not affected by the issue.

This isn’t the first time the ExifTool vulnerability has been used to gain remote code execution access. Last year, GitLab patched a severe bug (CVE-2021-22205, CVSS score: 10.0) that allowed arbitrary code execution due to poor validation of user-provided pictures.

Want to read more? Another article is available here!.

Share This Post:

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest
Share on email
Email
Share on whatsapp
WhatsApp
Arjun Gopireddy
Arjun Gopireddy
Arjun is an Information Security Specialist, and his main role is to support our clients by identifying and advising on mitigating information security risks. Holding a Master’s degree in Cyber Security (UK) and Engineering Management (USA) his knowledge and skills are shared with our clients. Outside of work Arjun likes watching movies, travelling, playing cricket, football and doing adventurous things such as sky diving. He is the biggest fan of Yuvraj Singh – a former Indian international cricketer.
What our clients say:
Subscribe to our newsletter

Sign up to receive updates, promotions, and sneak peaks of upcoming products. Plus 20% off your next order.

Promotion nulla vitae elit libero a pharetra augue
Subscribe to our newsletter

Sign up to receive updates, promotions, and sneak peaks of upcoming products. Plus 20% off your next order.

Promotion nulla vitae elit libero a pharetra augue