Major gaps in virtual appliance security plague organizations
As evolution to the cloud is accelerated by digital transformation across industries, virtual appliance security has fallen behind, Orca Security reveals.
Virtual appliance security
The report illuminated major gaps in virtual appliance security, finding many are being distributed with known, exploitable and fixable vulnerabilities and on outdated or unsupported operating systems.
To help move the cloud security industry towards a safer future and reduce risks for customers, 2,218 virtual appliance images from 540 software vendors were analyzed for known vulnerabilities and other risks to provide an objective assessment score and ranking.
Virtual appliances are an inexpensive and relatively easy way for software vendors to distribute their wares for customers to deploy in public and private cloud environments.
“Customers assume virtual appliances are free from security risks, but we found a troubling combination of rampant vulnerabilities and unmaintained operating systems,” said Avi Shua, CEO, Orca Security.
“The Orca Security 2020 State of Virtual Appliance Security Report shows how organizations must be vigilant to test and close any vulnerability gaps, and that the software industry still has a long way to go in protecting its customers.”
Known vulnerabilities run rampant
Most software vendors are distributing virtual appliances with known vulnerabilities and exploitable and fixable security flaws.
- The research found that less than 8 percent of virtual appliances (177) were free of known vulnerabilities. In total, 401,571 vulnerabilities were discovered across the 2,218 virtual appliances from 540 software vendors.
- For this research, 17 critical vulnerabilities were identified, deemed to have serious implications if found unaddressed in a virtual appliance. Some of these well-known and
easily exploitable vulnerabilities included: EternalBlue, DejaBlue, BlueKeep, DirtyCOW, and Heartbleed.
- Meanwhile, 15 percent of virtual appliances received an F rating, deemed to have failed the research test.
- More than half of tested virtual appliances were below an average grade, with 56 percent obtaining a C rating or below (15.1 percent F; 16.1 percent D; 25 percent C).
- However, due to a retesting of the 287 updates made by software vendors after receiving findings, the average grade of these rescanned virtual appliances has increased from a B to an A.
Outdated appliances increase risk
Multiple virtual appliances were at security risk from age and lack of updates. The research found that most vendors are not updating or discontinuing their outdated or end-of-life (EOL) products.
- The research found that only 14 percent (312) of the virtual appliance images had been updated within the last three months.
- Meanwhile, 47 percent (1,049) had not been updated within the last year; 5 percent (110) had been neglected for at least three years, and 11 percent (243) were running on out of date or EOL operating systems.
- Although, some outdated virtual appliances have been updated after initial testing. For example, Redis Labs had a product that scored an F due to an out-of-date operating system and many vulnerabilities, but now scored an A+ after updates.
The silver lining
Under the principle of Coordinated Vulnerability Disclosure, researchers emailed each vendor directly, giving them the opportunity to fix their security issues. Fortunately, the tests have started to move the cloud security industry forward.
As a direct result of this research, vendors reported that 36,259 out of 401,571 vulnerabilities have been removed by patching or discontinuing their virtual appliances from distribution. Some of these key corrections or updates included:
- Dell EMC issued a critical security advisory for its CloudBoost Virtual Edition
- Cisco published fixes to 15 security issues found in the one of its virtual appliances scanned in the research
- IBM updated or removed three of its virtual appliances within a week
- Symantec removed three poorly scoring products
- Splunk, Oracle, IBM, Kaspersky Labs and Cloudflare also removed products
- Zoho updated half of its most vulnerable products
- Qualys updated a 26-month-old virtual appliance that included a user enumeration vulnerability that Qualys itself had discovered and reported in 2018
Maintaining virtual appliances
For customers and software vendors concerned about the issues illuminated in the report, there are corrective and preventive actions that can be taken. Software suppliers should ensure their virtual appliances are well maintained and that new patches are provided as vulnerabilities are identified.
When vulnerabilities are discovered, the product should be patched or discontinued for use. Meanwhile, vulnerability management tools can also discover virtual appliances and scan them for known issues. Finally, companies should also use these tools to scan all virtual appliances for vulnerabilities before use as supplied by any software vendor.