Researchers Report Critical RCE Vulnerability in Google’s VirusTotal Platform
Security researchers have revealed a security vulnerability in the VirusTotal platform which could have been potentially weaponized to achieve Remote Code Execution (RCE).
The flaw, now patched, allowed “remote command execution within the VirusTotal platform and access to its various scanning capabilities,” said Cysource researchers Shai Alfasi and Marlon Fabiano da Silva. in a report exclusively shared with The Hacker News.
VirusTotal, part of Google’s Chronicle security subsidiary, is a malware scanning service that scans suspicious files and URLs and scans for viruses using more than 70 third-party antivirus products.
The attack method involved uploading a DjVu file through the platform’s web UI, using it to trigger an exploit for a high-severity remote code execution flaw in ExifTool, a utility open source used to read and modify EXIF metadata information in the image. and PDF files.
Tracked as CVE-2021-22204 (CVSS score: 7.8), the high-severity vulnerability in question is a case of arbitrary code execution resulting from ExifTool’s mishandling of DjVu files. The issue was fixed by its maintainers in a security update released on April 13, 2021.
One consequence of such an exploit, the researchers noted, was that it granted access not only to a Google-controlled environment, but also to more than 50 internal hosts with high-level privileges.
“The interesting part is that every time we upload a file with a new hash containing a new payload, VirusTotal forwards the payload to other hosts,” the researchers said. “So not only did we have an RCE, but it was also transmitted by Google’s servers to Google’s internal network, customers, and partners.”
Cysource said it responsibly reported the bug via Google Vulnerability Reward Programs (VRP) on April 30, 2021, after which the security flaw was immediately patched.
This is not the first time that the ExifTool flaw has appeared as a conduit to achieve remote code execution. Last year, GitLab fixed a critical flaw (CVE-2021-22205, CVSS score: 10.0) related to poor validation of user-supplied images, leading to the execution of arbitrary code.