Thursday, June 30, 2022
HomeCyber SecurityResearchers Report Crucial RCE Vulnerability in Google's VirusTotal Platform

Researchers Report Crucial RCE Vulnerability in Google’s VirusTotal Platform


Safety researchers have disclosed a safety vulnerability within the VirusTotal platform that might have been doubtlessly weaponized to attain distant code execution (RCE).

The flaw, now patched, made it doable to “execute instructions remotely inside VirusTotal platform and achieve entry to its numerous scans capabilities,” Cysource researchers Shai Alfasi and Marlon Fabiano da Silva mentioned in a report solely shared with The Hacker Information.

VirusTotal, a part of Google’s Chronicle safety subsidiary, is a malware-scanning service that analyzes suspicious recordsdata and URLs and checks for viruses utilizing greater than 70 third-party antivirus merchandise.


The assault technique concerned the add of a DjVu file by way of the platform’s internet person interface, utilizing it to set off an exploit for a high-severity distant code execution flaw in ExifTool, an open-source utility used to learn and edit EXIF metadata data in picture and PDF recordsdata.

RCE Vulnerability in VirusTotal

Tracked as CVE-2021-22204 (CVSS rating: 7.8), the high-severity vulnerability in query is a case of arbitrary code execution that arises from ExifTool’s mishandling of DjVu recordsdata. The difficulty was patched by its maintainers in a safety replace launched on April 13, 2021.

A consequence of such an exploitation, the researchers famous, was that it granted entry to not solely a Google-controlled atmosphere, but additionally to greater than 50 inside hosts with high-level privileges.

RCE Vulnerability in VirusTotal

“The attention-grabbing half is each time we uploaded a file with a brand new hash containing a brand new payload, VirusTotal forwarded the payload to different hosts,” the researchers mentioned. “So, not simply we had an RCE, but additionally it was forwarded by Google’s servers to Google’s inside community, its clients, and companions.”


Cysource mentioned it responsibly reported the bug by way of Google Vulnerability Reward Applications (VRP) on April 30, 2021, following which the safety weak point was instantly rectified.

This isn’t the primary time the ExifTool flaw emerged as a conduit to attain distant code execution. Final yr, GitLab fastened a crucial flaw (CVE-2021-22205, CVSS rating: 10.0) associated to an improper validation of user-provided photos, resulting in arbitrary code execution.


Sasith Mawan
Sasith Mawan
I'm a Software Engineering graduate with more than 6 years experience on the IT world working as a Software Developer to Tech Lead. Currently the Co-Founder of a Upcoming Gaming Company located in United States.


Please enter your comment!
Please enter your name here

Most Popular

Recent Comments