There have been questions raised regarding the credibility of research that claims to reveal a severe vulnerability in VirusTotal, a Google-owned antivirus comparison and threat intel service.
VirusTotal (VT) is a service that enables security researchers, system administrators, and others to evaluate suspicious files, domains, IP addresses, and URLs using an aggregated service that includes close to 70 antivirus vendors and scan engines.
The security community, including, but not limited to, the vendors who maintain the scanning engines used by VT, receives samples provided through the service automatically.
In a blog post published on Tuesday, Israel-based cybersecurity education platform provider Cysource claims researchers were able to “execute commands remotely within [the] VirusTotal platform and gain access to its various scans capabilities”.
A doctored DJVU file with a malicious payload added to the file's metadata is used in the attack. To accomplish remote code execution (RCE) and a remote shell, this payload exploits the CVE-2021-22204 vulnerability in Exiftool, a metadata analysis tool.
In April 2021, Cysource researchers presented their findings to Google's VRP, which were addressed a month later.
VirusTotal claims that instead of providing a way to weaponize VirusTotal, Cysource has only demonstrated a way to exploit an unpatched third-party antivirus toolset.
Bernardo Quintero, VirusTotal's founder, stated the code executions are occurring on third-party scanning systems that take and analyse samples obtained from VT, rather than VirusTotal itself, in a response to the findings released as a thread on Twitter.
“None [of the] reported machine was from VT and the ‘researchers’ knew it,” Quintero added.
