Doubts have arisen about the veracity of research that purportedly demonstrates a serious vulnerability involving VirusTotal, a Google-owned antivirus comparison and threat intel service.
VirusTotal (VT) offers a service that allows security researchers, sysadmins, and the like to analyze suspicious files, domains, IPs, and URLs through an aggregated service that bundles close to 70 antivirus products and scan engines.
Samples submitted through the service are automatically shared amongst the security community including, but not limited to, the vendors who maintain scanning engines used by VT.
In a blog post published on Tuesday, Israel-based cybersecurity education platform provider Cysource claims researchers were able to “execute commands remotely within [the] VirusTotal platform and gain access to its various scans capabilities”.
The attack relies on a doctored DJVU file with a malicious payload added to the file’s metadata. This payload relies on the CVE-2021-22204 vulnerability in a metadata analysis tool, Exiftool, to then achieve remote code execution (RCE) and a remote shell.
Cysource researchers’ findings were submitted via Google’s VRP in April 2021 and resolved a month later.
But rather than demonstrating a way to weaponize VirusTotal, as they suggest, all Cysource has shown is a means to hack an unpatched, third-party antivirus toolbox, according to VirusTotal.
Debunked
In a rebuttal of the research posted as a thread on Twitter, Bernardo Quintero, VirusTotal’s founder, said that the code executions are happening on third-party scanning systems that take and analyze samples obtained from VT rather than VirusTotal itself.
VirusTotal makes no use of the vulnerable version of the Exiftool and, furthermore, none of the affected machines were maintained by VT, according to Quintero.
Quintero said that he informed the researchers of this in response to their initial disclosure last May. He criticised their decision to publish what he argues are misleading findings regardless as “fake news”.
“None [of the] reported machine was from VT and the ‘researchers’ knew it,” according to Quintero.
The Daily Swig has contacted Cysource for a response to this criticism and will update this story as and when more information comes to hand.
