The CVE-2021-22204 Vulnerability
Recently, security researchers have reported a known vulnerability in the VirusTotal anti-malware platform that could be exploited for remote code execution if potential threat actors target antivirus engines within the platform that haven’t been patched.
Currently, the vulnerability in question (tracked as CVE-2021-22204) is no longer present in VirusTotal as it has been patched out. According to Marlon Fabiano da Silva and Shai Alfasi, researchers at Cysource, while the flaw was still unpatched, hackers could potentially use it to gain access to different scan capabilities of the VirusTotal platform and remotely execute arbitrary code.
The VirusTotal platform is an anti-malware service that uses over 70 antivirus engines to scan questionable files for malware content and warn the user about any potential rogue code that may get found in the analyzed files.
The potential attack method that could use the CVE-2021-22204 vulnerability involves uploading a DjVu file onto the platform through its web user interface and then using that file to trigger a flaw in the open-source ExifTool utility used in VirusTotal. This could allow the threat actor to read and edit EXIF metadata contained in PDF and image files, and thus perform remote arbitrary code execution.
This vulnerability has a CVSS severity score of 7.8, and it is caused by the mishandling of DjVu files by ExifTool. The flaw was first spotted last year and has since been patched out – the patch that fixes it was released on the 13th of April 2021.
According to the researchers who disclosed this flaw, a possible consequence of exploiting it would be that it could provide a reverse shell to antivirus engines that are affected by the vulnerability and that have not yet received a patch that resolves it.
VirusTotal has made recently a statement that the CVE-2021-22204 flaw is not within the platform itself, but in the different antivirus engines that are included in it. VirusTotal has further stated that its ExifTool version is not susceptible to this same flaw.
The vulnerability was first reported by Cysource via Google’s Vulnerability Reward Programs on the 30th of April 2021. Shortly after the report, the security vulnerability was fixed.
This is not the first instance of a flaw related to ExifTool that could be exploited for remote code execution. In 2021, another flaw, tracked as CVE-2021-22205, with a CVSS score of 10.0, was discovered, related to improper image validation of images provided by users.