Organisations of all shapes and sizes are being left at risk of compromise by supplier failings around virtual appliance vulnerabilities, according to new research by Orca Security which revealed major gaps in virtual appliance security.
In the research in April and May 2020, Orca Security probed 2,218 virtual appliance images from 540 software suppliers, and uncovered a total of 401,751 vulnerabilities, with less than 8% of virtual appliances free of known vulnerabilities, and less than 5% both free of vulnerabilities and running on an outdated or unsupported operating system (OS).
A total of 17 of the vulnerabilities it found were critical and could have had serious implications if a malicious actor had stumbled upon them. Many of them are well-known and easily exploitable vulnerabilities, including EternalBlue, DejaBlue, BlueKeep, DirtyCOW and Heartbleed.
“Customers assume virtual appliances are free from security risks, but we found a troubling combination of rampant vulnerabilities and unmaintained operating systems,” said Avi Shua, CEO and co-founder of Orca Security.
“The Orca Security 2020 State of virtual appliance security report shows how organisations must be vigilant to test and close any vulnerability gaps, and that the software industry still has a long way to go in protecting its customers.”
Orca’s researchers said that as well as being riddled with vulnerabilities, many virtual appliances were at risk from sheer age and lack of updates, with many suppliers failing to update or discontinue virtual appliances once reaching end of life.
It said only 14% of the scanned virtual appliance images had been updated in the previous three months, 47% had not been updated in the past year, 5% were neglected for at least three years, and 11% were running OSs that had reached end of life.
The most security-conscious software suppliers, which achieved “exemplary” scores on Orca’s matrix, were VMware, Nvidia, HashiCorp, BeyondTrust, Pulse Secure, Trend Micro, Barracuda Networks and Versasec. Some of the highest-profile failures included products from CA Technologies, FireMon, A10 Networks, Cloudflare, Micro Focus and Software AG.
Orca said that since alerting suppliers of the risks, a total of 287 products have been updated and 53 removed from circulation altogether, which has addressed just under 37,000 of the reported vulnerabilities.
As a result of disclosures made by Orca during its research, Dell EMC issued a critical security advisory for CloudBoost Virtual Edition, Cisco pushed fixes to 15 issues, IBM updated or removed three virtual appliances inside a week, Zoho updated nearly half of its products, and Qualys finally updated a product that contained a vulnerability it had found itself in 2018.
Also, Cloudflare, IBM, Kaspersky Labs, Oracle, Splunk and Symantec all removed a number of vulnerable products, and one supplier, HailBytes, took the time to record a personalised thank-you video after being contacted.
However, Orca also revealed that in 32 cases, the suppliers said it was up to customers to patch virtual appliances, and 24 of them claimed their virtual appliance vulnerabilities were not exploitable and they did not need to take any action. Some of them even threatened legal action – these it did not name – and, as a result, a considerable number of products remain vulnerable.
Orca said that for enterprise security teams concerned by the report findings, there were steps that they could take even if their supplier is not supporting virtual appliance security appropriately.
Firstly, it said, appropriate asset management can give security teams an understanding of the virtual appliances deployed across their estate – by appropriate, it means this must include both on-premise assets and those held in public cloud instances. It is also important not to overlook shadow IT deployments – particularly during the pandemic – because it is quite easy for a tech-savvy end-user to access and deploy their own virtual appliance if they like.
Secondly, vulnerability management tools should be used to discover virtual appliances and scan them for known vulnerabilities. Orca said it was important that these tools scanned all appliances, because you cannot assume they are safe to use out of the box.
Thirdly, the vulnerability management process needs to be adapted to prioritise the most severe vulnerabilities – either by fixing them or discontinuing use of the product if necessary.
Finally, Orca recommends users keep lines of communication with their supplier partners open, approach them and understand their support processes and how they fix vulnerabilities that are disclosed, and do not be scared to seek an alternative if the supplier doesn’t measure up.