Researchers claim to have found a serious security vulnerability affecting Google’s VirusTotal platform that could allow remote code execution. They also shared the timeline of events, explaining how the vulnerability received a fix following the bug report. However, VirusTotal denies such claims, stating that the bug never affected VT machines.
RCE Vulnerability Found In VirusTotal Platform
According to a recent post from CySource, their research team caught a remote code execution vulnerability affecting VirusTotal.
VirusTotal is a Google Chronicle-owned platform for virus scanning. The platform aggregates virus detection reports from various third-party anti-malware products and scan engines, facilitating the cybersecurity community in prompt malware detection.
As elaborated, the vulnerability didn’t specifically exist in the VirusTotal platform. Instead, it resided in how the ExifTool processed the submitted image files.
The CySource team noticed that they could execute a malicious payload on the platform by uploading a maliciously crafted DjVu file. That’s because the platform would send the payload to the host scanners without detecting it.
The first step was uploading a djvu file to the page https://www.virustotal.com/gui/ with the payload…
Virustotal.com analyzed my file and none of the antiviruses detected the payload added to the file’s metadata…
The application sent our file with the payload to several hosts to perform the scan…
On virustotal hosts, at the time that exiftool is executed, … instead of exiftool detecting the metadata of the file it executes our payload. Handing us a reverse shell on our machine.
As a result, the researchers could gain access to the internal scanners and the subsequent sensitive data with high privileges.
This vulnerability has received the identification number CVE-2021-22204 and a high-severity rating with a base score of 7.8. The vulnerability description reads,
Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image.
Following the bug discovery, the researchers reported the matter to Google via its Vulnerability Research Program (VRP) in April 2021. Consequently, the patch addressing the bug arrived in January 2022.
VirusTotal Refutes Any Bug Affecting Its Machines
Following the public disclosure of the report, Bernardo Quintero, founder of VirusTotal, debunked the news that the vulnerability affected VirusTotal machines.
In a series of tweets, Quintero explained that the bug possibly affected some third-party machines and never the VT machines. He also said that the “researchers knew it.”
CONFIRMED: none reported machine was from VT and the "researchers" knew It 🙁
— Bernardo Quintero (@bquintero) April 26, 2022
He even shared a copy of the Google VRP response to the researchers, which mentioned that the RCE bugs didn’t affect the VirusTotal platform.
Moreover, the response also mentioned that the platform didn’t use the vulnerable ExifTool versions. So, it seems that the bug possibly had no direct effect on the platform, even in the case of third-party exploit. Yet, this needs further elaboration from both parties.
Let us know your thoughts in the comments.