Protection scientists have actually divulged a protection susceptability in the VirusTotal system that might have been possibly weaponized to accomplish remote code implementation (RCE).
The defect, currently covered, made it feasible to “implement commands from another location within VirusTotal system and also access to its different scans abilities,” Cysource scientists Shai Alfasi and also Marlon Fabiano da Silva stated in a report specifically shown to The Cyberpunk Information.
VirusTotal, component of Google’s Chronicle safety and security subsidiary, is a malware-scanning solution that assesses questionable data and also Links and also look for infections utilizing greater than 70 third-party anti-virus items.
The strike approach included the upload of a DjVu data with the system’s web user interface, utilizing it to activate a manipulate for a high-severity remote code implementation defect in ExifTool, an open-source energy made use of to check out and also modify EXIF metadata info in picture and also PDF data.
Tracked as CVE-2021-22204 (CVSS rating: 7.8), the high-severity vulnerability concerned is a situation of approximate code implementation that develops from ExifTool’s messing up of DjVu data. The concern was covered by its maintainers in a security update launched on April 13, 2021.
An effect of such an exploitation, the scientists kept in mind, was that it provided accessibility to not just a Google-controlled setting, however likewise to greater than 50 interior hosts with top-level benefits.
” The intriguing component is each time we published a data with a brand-new hash including a brand-new haul, VirusTotal sent the haul to various other hosts,” the scientists stated. “So, not simply we had an RCE, however likewise it was sent by Google’s web servers to Google’s interior network, its clients, and also companions.”
Cysource stated it sensibly reported the insect with Google Susceptability Compensate Programs (VRP) on April 30, 2021, adhering to which the safety and security weak point was quickly remedied.
This is not the very first time the ExifTool defect became a channel to accomplish remote code implementation. In 2014, GitLab dealt with a vital defect (CVE-2021-22205, CVSS rating: 10.0) pertaining to an inappropriate recognition of user-provided photos, resulting in approximate code implementation.