[MART] - Daily Diary #496 - RCE Found On VirusTotal Environment

[CTAS-MAT]

Hello,

I hope everyone is doing well!

Below is the entry for today.

04/25/2022 - Diary entry #496:

VirusTotal is a free service that uses more than 50 AntiVirus engines to analyze suspicious artifacts and to provide real-time detection of files, URLs, domains, and more. When an artifact is submitted for analysis, VirusTotal's environment executes several tools to aid during the process, such as extracting files' strings, capabilities, metadata, or getting URLs' screenshots.

In April last year, researchers found a Remote Code Execution vulnerability by submitting weaponized samples on VirusTotal. By exploiting the vulnerability, their malicious payload was executed as soon as the ExifTool utility was used by the AntiViruses scanners/engines. ExifTool is a platform-independent Perl library plus a command-line application for reading, writing, and editing meta information in a wide variety of files.

Tracked as CVE-2021-22204, the vulnerability is described as "improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image", according to Mitre. As soon as it was reported to VirusTotal, it was fixed and today it was publicly disclosed.

Since security companies rely on tools such as ExifTool to extract useful information during their sandboxed analysis, it is a must to keep all tools updated to defend against this vulnerability. Besides that, it is important to isolate all analysis environments and monitor them to prevent upcoming vulnerabilities.

Kind Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220425/66570144/attachment.htm>