VMware patches serious vulnerabilities in ESXi hypervisor, SD-WAN Orchestrator

VMware has patched critical vulnerabilities affecting its ESXi enterprise-class hypervisor and has released a security update for its SD-WAN Orchestrator, plugging a handful of serious security holes.

vulnerabilities ESXi hypervisor

Vulnerabilities in ESXi hypervisor exploited during a hacking competition

During the Tianfu Cup Pwn Contest that was held in Chengdu, China, earlier this month, Xiao Wei and Tianwen Tang, two researchers from the Qihoo 360 Vulcan Team, exploited two previously unknown vulnerabilities to thoroughly compromise VMWare’s ESXi hypervisor:

  • CVE-2020-4004, deemed “critical”, is a use-after-free vulnerability in XHCI USB controller that can be used by attackers with local administrative privileges on a virtual machine to execute code as the virtual machine’s VMX process running on the host
  • CVE-2020-4005, deemed “important”, is a VMX elevation-of-privilege vulnerability that can be used by attackers with privileges within the VMX process to escalate their privileges on the affected system

CVE-2020-4004 affects various versions of ESXi, but also VMware Fusion (Mac virtualization solution), VMware Workstation Player (desktop hypervisor application) and VMware Cloud Foundation (ESXi). CVE-2020-4005 affects ESXi and VMware Cloud Foundation. Most patches are already available, but those for Cloud Foundation are still pending.

Users are advised to peruse this advisory and see whether they should update their installations.

VMware SD-WAN Orchestrator vulnerabilities

VMware has also released security updates for both supported branches (3.x and 4.x) of SD-WAN Orchestrator, its enterprise solution for provisioning virtual services in the branch, the cloud, or the enterprise data center.

They fix six vulnerabilities, including SQL injection vulnerabilities, a directory traversal file execution flaw, and default passwords for predefined accounts which may lead to to a Pass-the-Hash attack. In that last instance, the update does nothing – it’s on administrators to change the default passwords of the preconfigured accounts on SD-WAN Orchestrator before production use.

The vulnerabilities are not deemed to be critical, as attackers need to be authenticated in order to exploit them.

Nevertheless, admins have been advised to upgrade their SD-WAN Orchestrator installations to version 4.0.1, 3.4.4, or 3.3.2 P3.

Half of the vulnerabilities have been discovered and reported by Ariel Tempelhof of Realmode Labs, the other half by Christopher Schneider, Cory Billington and Nicholas Spagnola, penetration test analysts at State Farm.

There are currently no reports of these vulnerabilities being exploited in the wild.

Operator‑billed 5G connections revenue to reach $357 billion by 2025

Operator‑billed revenue from 5G connections will reach $357 billion by 2025, rising from $5 billion in 2020, its first full year of commercial service, according to Juniper Research.

5G connections revenue

By 2025, 5G revenue is anticipated to represent 44% of global operator‑billed revenue owing to rapid migration of 4G mobile subscribers to 5G networks and new business use cases enabled by 5G technology.

However, the study identified 5G networks roll-outs as highly resilient to the COVID-19 pandemic. It found that supply chain disruptions caused by the initial pandemic period have been mitigated through modified physical roll-out procedures, in order to maintain the momentum of hardware deployments.

5G connections to generate 250% more revenue than average cellular connection

The study found that 5G uptake had surpassed initial expectations, predicting total 5G connections will surpass 1.5 billion by 2025. It also forecast that the average 5G connection will generate 250% more revenue than an average cellular connection by 2025.

To secure a return on investment into new services, such as uRLLC (Ultra-Reliable Low-Latency Communication) and network slicing, enabled by 5G, operators will apply this premium pricing for 5G connections.

However, these services alongside the high-bandwidth capabilities of 5G will create data-intensive use cases that lead to a 270% growth in data traffic generated by all cellular connections over the next five years.

Networks must increase virtualisation to handle 5G data traffic

Operators must use future launches of standalone 5G network as an opportunity to further increase virtualisation in core networks. Failure to develop 5G network architectures that handle increasing traffic will lead to reduced network functionality, inevitably leading to a diminished value proposition of its 5G network amongst end users.

Research author Sam Barker remarked: “Operators will compete on 5G capabilities, in terms of bandwidth and latency. A lesser 5G offering will lead to user churn to competing networks and missed opportunities in operators’ fastest-growing revenue stream.”

Cyber teams are getting more involved in M&A

Despite ongoing economic uncertainty amidst a global pandemic, many dealmakers remain optimistic about the outlook for the year ahead as they increasingly pursue alternative merger and acquisition (M&A) methods to navigate the crisis and pursue new disruptive business growth strategies.

virtual dealmaking

According to a Deloitte survey of 1,000 U.S. corporate M&A executives and private equity firm professionals, 61% of survey respondents expect U.S. M&A activity to return to pre-COVID-19 levels within the next 12 months.

Soon after the WHO declared COVID-19 a pandemic on March 11, deal activity in the U.S. plunged — most notably during April and May.

Responding M&A executives say they tentatively paused (92%) or abandoned (78%) at least one transaction as a result of the pandemic outbreak. However, since March 2020, possibly aiming to take advantage of pandemic-driven business disruptions, 60% say their organizations have been more focused on pursuing new deals.

“M&A executives have moved quickly to adapt and uncover value in new and innovative ways as systemic change driven by the pandemic has resulted in alternative approaches to transactions,” said Russell Thomson, partner, Deloitte & Touche LLP, and Deloitte’s U.S. merger and acquisition services practice leader.

“We expect both traditional and alternative M&A to be an important lever for dealmakers as businesses recover and thrive in a post-COVID economy.”

Alternative dealmaking on the rise

For many, alternative deals are quickly outpacing traditional M&A activity as the search for value intensifies in a low-growth environment.

When asked which type of deals their organizations are most interested in pursuing, responding corporate M&A executives’ top choice was alternatives to traditional M&A, including alliances, joint ventures, and Special Purpose Acquisition Companies (45%) — ranking higher than acquisitions (35%).

Private equity investors plan to remain more focused on traditional acquisitions (53%), while simultaneously pushing pursuit of M&A alternatives — including private investment in public equity deals, minority stakes, club deals and alliances (32%).

“As businesses prepare for a post-COVID world, including fundamentally reshaped economies and societies, the dealmaking environment will also materially change,” said Mark Purowitz, principal, Deloitte Consulting LLP, with Deloitte’s mergers and acquisitions consulting practice, and leader of the firm’s Future of M&A initiative.

“Companies were starting to expand their definition of M&A to include partnerships, alliances, joint ventures and other alternative investments that create intrinsic and long-lasting value, but COVID-19 has accelerated dealmakers’ needs to create more optionality for their organizations’ internal and external ecosystems.”

Virtual dealmaking to continue playing large role post-pandemic

87% of M&A professionals surveyed report that their organizations were able to effectively manage a deal in a purely virtual environment, so much so that 55% anticipate that virtual dealmaking will be the preferred platform even after the pandemic is over.

However, virtual dealmaking does not remain without its own challenges. Fifty-one percent noted that cybersecurity threats are their organizations’ biggest concern around executing deals virtually.

“When it comes to cyber in an M&A world — it’s important to develop cyber threat profiles of prospective targets and portfolio companies to determine the risks each present,” said Deborah Golden, Deloitte Risk & Financial Advisory, cyber and strategic risk leader, Deloitte & Touche LLP.

“CISOs understand how a data breach can negatively impact the valuation and the underlying deal structure itself. Leaving cyber out of that risk picture may lead to not only brand and reputational risk, but also significant and unaccounted remediation costs.”

Other virtual dealmaking concerns included the ability to forge relationships with management teams (40%) and extended regulatory approvals (39%). When it comes to effectively managing the integration phase in a virtual environment, technology integration (16%) and legal entity alignment or simplification (16%) are surveyed M&A executives’ largest and most prevalent hurdles.

“It may be too early to assess the long-term implications of virtual dealmaking as many of the deals currently in progress now are resulting from management relationships that were formed pre-COVID. We also expect integration in a virtual setting will become much more complex a few months from now,” said Thomson.

virtual dealmaking

“Culture and compatibility issues should be given greater attention on the diligence side, as they pose major downstream integration implications.”

International dealmaking declines, focus on domestic-only deals

Interest in foreign M&A targets declined in 2020 as corporate executives reported a significant shift in their approach to international dealmaking, with 17% reporting no plans to execute cross-border deals in the current economic environment, an 8 percentage point increase from 2019.

In addition, 57% of M&A executives say less than half of their current transactions involve acquiring targets operating primarily in foreign markets.

Notably, the number of survey respondents interested in pursuing deals with U.K. targets dropped by 8 percentage points, while Chinese targets declined by 7 percentage points. Interest in Canadian (32%) and Central American (19%) targets remained highest.

Using virtualization to isolate risky applications and other endpoint threats

More and more security professionals are realizing that it’s impossible to fully secure a Windows machine – with all its legacy components and millions of potentially vulnerable lines of code – from within the OS. With attacks becoming more sophisticated than ever, hypervisor-based security, from below the OS, becomes a necessity.

Unlike modern OS kernels, hypervisors are designed for a very specific task. Their code is usually very small, well-reviewed and tested, making them very hard to exploit. Because of that, the world trusts modern hypervisors to run servers, containers, and other workloads in the cloud, which sometimes run side-by-side on the same physical server with complete separation and isolation. Because of that, companies are leveraging the same trusted technology to bring hardware-enforced isolation to the endpoint.

Microsoft Defender Application Guard

Microsoft Defender Application Guard (previously known as Windows Defender Application Guard, or just WDAG), brings hypervisor-based isolation to Microsoft Edge and Microsoft Office applications.

It allows administrators to apply policies that force untrusted web sites and documents to be opened in isolated Hyper-V containers, completely separating potential malware from the host OS. Malware running in such containers won’t be able to access and exfiltrate sensitive files such as corporate documents or the users’ corporate credentials, cookies, or tokens.

With Application Guard for Edge, when a user opens a web site that was not added to the allow-list, he is automatically redirected to a new isolated instance of Edge, continuing the session there. This isolated instance of Edge provides another, much stronger, sandboxing layer to cope with web threats. If allowed by the administrator, files downloaded during that session can be accessed later from the host OS.

isolate risky applications

With Application Guard for Office, when a user opens an unknown document, maybe downloaded from the internet or opened as an email attachment, the document is automatically opened in an isolated instance of Office.

Until now, such documents would be opened in “protected view”, a special mode that eliminates the threat from scripts and macros by disabling embedded code execution. Unfortunately, this mode sometimes breaks legit files, such as spreadsheets that contain harmless macros. It also prevents users from editing documents.

Many users blindly disable the “protected view” mode to enable editing, thereby allowing malware to execute on the device. With Application Guard for Office, users don’t compromise security (the malware is trapped inside the isolated container) nor productivity )the document is fully functional and editable inside the container).

In both cases, the container is spawned instantly, with minimal CPU, memory, and disk footprints. Unlike traditional virtual machines, IT administrators don’t need to manage the underlying OS inside the container. Instead, it’s built out of existing Windows system binaries that remain patched as long as the host OS is up to date. Microsoft has also introduced new virtual GPU capabilities, allowing software running inside the container to be hardware-GPU accelerated. With all these optimizations, Edge and Office running inside the container feel fast and responsive, almost as if they were running without an additional virtualization layer.

The missing compatibility

While Application Guard works well with Edge and Office, it doesn’t support other applications. Edge will always be the browser running inside the container. That means, for example, no Google accounts synchronization, something that many users probably want.

What about downloaded applications? Applications are not allowed to run inside the container. (The container hardening contains some WDAC policies that allow only specific apps to execute.) That means that users can execute those potentially malicious applications on the host OS only.

Administrators who don’t allow unknown apps on the host OS might reduce users’ productivity and increase frustration. This is probably more prominent today, with so many people working from home and using a new wave of modern collaboration tools and video conferencing applications.

Users who are invited to external meetings sometimes need to download and run a client that may be blocked by the organization on the host OS. Unfortunately, it’s not possible to run the client inside the container either, and the users need to look for other solutions.

And what about non-Office documents? Though Office documents are protected, non-Office documents aren’t. Users sometimes use various other applications to create and edit documents, such as Adobe Acrobat and Photoshop, Autodesk AutoCAD, and many others. Application Guard won’t help to protect the host OS from such documents that are received over email or downloaded from the internet.

Even with Office alone, there might be problems. Many organizations use Office add-ons to customize and streamline the end-user experience. These add-ons may integrate with other local or online applications to provide additional functionality. As Application Guard runs a vanilla Office without any customizations, these add-ons won’t be able to run inside the container.

The missing manageability

Configuring Application Guard is not easy. First, while Application Guard for Edge technically works on both Windows Pro and Windows Enterprise, only on Windows Enterprise is it possible to configure it to kick-in automatically for untrusted websites. For non-technical users, that makes Application Guard almost useless in the eyes of their IT administrators, as those users have to launch it manually every time they consider a website to be untrusted. That’s a lot of room for human error. Even if all the devices are running Windows Enterprise, it’s not a walk in the park for administrators.

For the networking isolation configuration, administrators have to provide a manual list of comma-separated IPs and domain names. It’s not possible to integrate with your already fully configured web-proxy. It’s also not possible to integrate with category-based filtering systems that you might also have. Aside from the additional system to manage, there is no convenient UI or advanced capabilities (such as automatic filtering based on categories) to use. To make it work with Chrome or Firefox, administrators also need to perform additional configurations, such as delivering browser extensions.

This is not a turnkey solution for administrators and it requires messing with multiple configurations and GPOs until it works.
In addition, other management capabilities are very limited. For example, while admins can define whether clipboard operations (copy+paste) are allowed between the host and the container, it’s not possible to allow these operations only one way and not the other. It’s also not possible to allow certain content types such as text and images, while blocking others, such as binary files.
OS customizations and additional software bundlings such as Edge extensions and Office add-ins are not available either.

While Office files are opened automatically in Application Guard, other file types aren’t. Administrators that would like to use Edge as a secure and isolated PDF viewer, for example, can’t configure that.

The missing security

As stated before, Application Guard doesn’t protect against malicious files that were mistakenly categorized to be safe by the user. The user might securely download a malicious file on his isolated Edge but then choose to execute it on the host OS. He might also mistakenly categorize an untrusted document as a corporate one, to have it opened on the host OS. Malware could easily infect the host due to user errors.

Another potential threat comes from the networking side. While malware getting into the container is isolated in some aspects such as memory (it can’t inject itself into processes running on the host) and filesystem (it can’t replace files on the host with infected copies), it’s not fully isolated on the networking side.

Application Guard containers leverage the Windows Internet Connection Sharing (ICS) feature, to fully share networking with the host. That means that malware running inside the container might be able to attack some sensitive corporate resources that are accessible by the host (e.g., databases and data centers) by exploiting network vulnerabilities.

While Application Guard tries to isolate web and document threats, it doesn’t provide isolation in other areas. As mentioned before, Application Guard can’t isolate non-Microsoft applications that the organization chooses to use but not trust. Video conferencing applications, for example, have been exploited in the past and usually don’t require access to corporate data – it’s much safer to execute these in an isolated container.

External device handling is another risky area. Think of CVE-2016-0133, which allowed attackers to execute malicious code in the Windows kernel simply by plugging a USB thumb drive into the victim’s laptop. Isolating unknown USB devices can stop such attacks.

The missing holistic solution

Wouldn’t it be great if users could easily open any risky document in an isolated environment, e.g., through a context menu? Or if administrators could configure any risky website, document, or application to be automatically transferred and opened in an isolated environment? And maybe also to have corporate websites to be automatically opened back on the host OS, to avoid mixing sensitive information and corporate credentials with non-corporate work?

How about automatically attaching risky USB devices to the container, e.g., personal thumb drives, to reduce chances of infecting the host OS? And what if all that could be easy for administrators to deploy and manage, as a turn-key solution in the cloud?

Is remote work here to stay?

There’s no doubt COVID-19 set the remote work revolution on a fast track. And on that fast track, VPN usage soared to new heights with no signs of it slowing down. Companies had no choice but to close up shop and send their workers home, and just as quickly had to figure out how to secure that workforce.

remote work here to stay

But just how big is the spike? In a study conducted by OpenVPN, 30% of employees polled say their company recently implemented remote work capabilities for the first time. 61% already had remote work rules in place.

The accelerated need for virtualization also meant a massive uptick in VPN usage — but not just any VPNs. Business VPNs are booming, according to the study.

“VPNs are critical to our remote minset and provides us with flexibility of being remote.” – a survey participant.

68% of employees say their company expanded VPN usage as a direct result of COVID-19, and 29% say their organization started using a VPN for the first time.

But remote work is not completely new — in fact, it’s been on the rise for some time. Consider these stats:

From 2005 – 2017 there was a 159% jump in remote work. In 2015: 3.9 million U.S. workers were already remote. Today? Over 5 million. And there’s no sign of the surge slowing down now, or ever — especially in the current climate.

The study surveyed workers from 300 different companies across sectors such as technology, energy, education, healthcare, engineering, and construction, and explored how companies are handling the new remote era, during the pandemic.

The study explored how organizations are handling the new COVID-19 remote era — and how they are securing their teams. The study seeks to answer the question: “Is remote work really the future?” If the numbers are any indication, the answer is a resounding YES.

Business VPNs are essential

Businesses are recognizing a layered approach is always the best approach for combating cyberattacks — and a necessary component of this approach is to invest in a reputable business VPN.

Even if every cell phone and laptop comes equipped with a personal VPN in the future, businesses will still need a secure way for workers to access a private network, and they will need an enterprise VPN to do so.

A personal VPN provides you with secure, private access to the internet, which is valuable in its own right — but a business VPN gives you the ability to remotely access private network resources, often essential for completing work, and to securely connect your company’s branches and locations worldwide.

Nearly 70% of employees polled say their companies expanded business VPN usage, and 29% say their organization started using it for the first time. That’s a big boom, mostly due to COVID-19… but is it here to stay?

Surprisingly, not all companies are on board.

Of the 21% of polled employees whose companies have never used a VPN, 71% went on to say their companies are still neglecting to utilize this essential security tool, despite switching to remote work. This suggests many companies still do not have a network security plan in place for remote work, despite the current crisis.

The good news is the companies that have started with secure remote access are almost unanimously in favor of maintaining that protocol: 99% of surveyed employees whose companies use a VPN believe those companies will continue usage after the emergency phase of COVID-19 is over. This encouraging percentage suggests that business VPNs will continue to be an essential part of secure remote access for years to come.

“We have always used VPN for remote work, with 2FA. It would be absolute lunacy to not do so, and there is not a chance on earth that we would discontinue use of our VPN.” – a survey participant.

Is the pandemic pushing organizations to finally go remote?

Employers that have the ability, but have still chosen not to offer their employees remote work capabilities during this time, are falling behind. Those polled describe their employers as uncaring and reckless — willing to risk their health and safety rather than make necessary adjustments.

“My company informed us remote work would be implemented soon. But that doesn’t make up for the fact that so many were furloughed due to lack of preparedness.” – a survey participant.

This illustrates an important point: companies must be prepared, or people will suffer.

Organizations that take the time to establish a secure remote strategy will be far ahead of competitors who choose not to. Offering flexibility can have an enormous impact on companies and the future of their business.

Remote employee: “I have worked from home for five years. Working remotely has given my company and me an edge over other companies that had to suddenly pivot and learn to work remotely. While they still struggle to learn, we have become the leaders and teachers for those who have never done this.”

Office-bound employee: “I think when the economy stabilizes a bit, I may consider finding a different job with a company that provides a safer work environment.”

remote work here to stay

People have mixed feelings about remote work during this stressful era

According to the study, only 5% of employees claim their company willfully chooses to prevent remote work, despite having the capability to provide it. Of that 5% still working at the office, 53% were worried about increased exposure, 29% claimed more stress and anxiety, and 18% had difficulty procuring childcare, suggesting that working in the office during a pandemic can have immediate and serious consequences for employees’ well-being.

Increased stress and anxiety have been found to have a direct effect on performance at work, which means those few employees still forced to go into the office are likely unable to perform at the level their employers would hope for.

In contrast, 30% of employees report that their company recently implemented remote work capabilities for the first time, while 61% already had remote work capabilities in place.

Of those 91% currently working from home, many report positive impacts on their work: 65% enjoy the flexibility, 40% claim fewer distractions, 36% say working from home lowers their stress and anxiety, and 33% have noticed an increase in their productivity.

Companies that have made this change have happier, less stressed employees — and, of course, the ability to continue operating during these unprecedented times.

Remote work should include secure access

“VPNs/remote access is key to allowing people to work when they can. This is the cornerstone of our business continuity plan.” – a survey participant.

Remote work and business VPNs go hand-in-hand; for your team to have secure access to the resources they need, a business VPN is critical to creating an infrastructure safe from breaches.

Will remote work become the norm? Only time will tell— but COVID-19 has certainly revealed that remote work capabilities often make-or-break a company’s success. Those without the ability to pivot often fall behind — and quickly.

VMware plugs critical flaw in vCenter Server, patch ASAP!

VMware has fixed a critical vulnerability (CVE-2020-3952) affecting vCenter Server, which can be exploited to extract highly sensitive information that could be used to compromise vCenter Server or other services which depend on the VMware Directory Service (vmdir) for authentication.

CVE-2020-3952

About CVE-2020-3952

VMware vSphere is VMware’s cloud computing virtualization platform. vCenter Server is server management software for controlling VMware vSphere environments.

“Under certain conditions vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 10.0,” the company noted in an advisory published last week.

The vulnerability exists in vCenter Server 6.7, running on Windows or a virtual appliance, only if the installations were upgraded from a previous release line such as 6.0 or 6.5. It can be exploited by a malicious actor with network access to an affected vmdir deployment.

“Clean installations of vCenter Server 6.7 (embedded or external PSC) are not affected. vCenter Server versions 6.5. and 7.0 are unaffected,” the company pointed out.

How to fix the problem?

Administrators are advised to check whether their deployments are affected (here is how) and, if they are, update them to version 6.7u3f or 7.0.

There are no effective workarounds for this problem, though there are compensating controls admins can implement to minimize/mitigate the risk associated with it.

Bob Plankers, who works in the Cloud Platforms group at VMware, provided additional insight on those controls, on why it’s better to patch, and answered a number of questions admins may have regarding this flaw and the implementation of the fix.

CVE-2020-3952 was privately reported to VMware and there are currently no public PoC exploits for it. The company did not mention whether the flaw is being exploited in the wild, so it’s likely that it isn’t (yet).

Most enterprises choose multi-cloud strategies, 55% plan to invest in data virtualization

79% of enterprises want better integrated security and governance for their data in the cloud, a survey from AtScale reveals.

multi-cloud strategies

“As more enterprises embrace cloud transformation, IT and data teams face increased pressure to harness the power of data and analytics for business intelligence,” said Christopher Lynch, executive chairman and CEO at AtScale.

“Hybrid cloud and multi-cloud strategies are key to big data analytics. New data regulations and cybersecurity vulnerabilities are creating roadblocks for IT teams looking to use data for business intelligence, which is why data virtualization and data governance are top priorities in 2020.”

The survey polled more than 150 data and analytics leaders, IT/business intelligence practitioners, and business professionals from multiple industries around the globe on their enterprise cloud strategy, and their data and analytics priorities and challenges.

Data governance continues to be a top priority

The survey results reveal the majority of enterprises are choosing a multi-cloud or hybrid cloud strategy, and that data virtualization and data governance are top priorities for big data and analytics leaders. Key findings from the survey include:

  • 79% of enterprises use multi-cloud or hybrid cloud strategies – Only 24% of those surveyed they are all in with a single cloud vendor.
  • Companies are implementing data virtualization – 55% of respondents plan to invest in data virtualization in the near future if they are not already.
  • Data governance is a top challenge across the board – 80% of respondents said that data governance is very important to them.

multi-cloud strategies

“With the amount of data sharing happening across platforms and systems, data governance continues to be a top priority across the board with 80% of respondents stating that data governance is very important to them,” said John Mertic, director at ODPi.

“We see open source technologies as pathways towards unifying metadata silos and enabling compliance policies.”