Server racks in data center showing vulnerabilities in virtual appliances

Orca Security Research: Top Virtual Appliance Vendors Neglect the Security of their Products

Even though 2020 started with accelerated cloud computing adoption, Covid-19 kicked that into hyperdrive as remote working became the norm. Cybersecurity concerns surrounding a near 100 percent remote workforce also accelerated to ensure both users and cloud computing infrastructure remained safe. Orca Security underscored ever-present dangers in public cloud environments associated with neglected workloads, authentication issues, and lateral movement risk in the Orca Security 2020 State of Public Cloud Security Report.

In our second major research report of 2020, we focused on the role that virtual appliances play in keeping cloud computing secure. There are thousands of virtual appliances available from dozens of vendors. Amid this cloud computing growth, the Orca Security research team decided to investigate just how effective and efficient these products are in keeping us all safe.

The 2020 state of virtual appliance security: caveat emptor

Orca began a wide-reaching research and testing project to benchmark and evaluate the current state of virtual appliance security. In the test, each virtual appliance was numerically assessed and scored, resulting in a letter grade of A+ to F. As expected, these appliances ran the gamut. Many appliances were safe, effective, and fully updated. Others had known and fixable security flaws.

The result of this investigation is the Orca Security 2020 State of Virtual Appliance Security report. The report highlights significant gaps in virtual appliance security, finding many products are being distributed with known, exploitable, and fixable vulnerabilities and on outdated or unsupported operating systems. Orca Security scanned 2,218 virtual appliance images from 540 vendors for known vulnerabilities. In all, we found a total of 401,571 vulnerabilities.

From a cybersecurity and infosec best practices perspective, the report exposes areas of concern and caution, including:

  • Only 8 percent of virtual appliances were free of known vulnerabilities
  • More than half of tested virtual appliances were below an average grade; 56 percent received a failed (F), poor (D) or mediocre (C) rating
  • The research identified appliances with 17 critical vulnerabilities, including well-known and easily exploitable threats such as EternalBlue, DejaBlue, BlueKeep, DirtyCOW, and Heartbleed.
  • Multiple virtual appliances were a security risk from neglect, age and lack of updates. 47 percent had not been updated within the last year; 16 percent hadn’t been updated for at least three years or were running on out of date operating systems

Moving the cloud security industry to a safer future

Under the principle of Coordinated Vulnerability Disclosure, Orca Security researchers emailed each software vendor, giving them the opportunity to fix their issues. The responses were generally forward-thinking: most vendors stepped-up to address their appliance deficiencies uncovered by the research. But some did not.

Vendors removed 36,938 vulnerabilities by patching or discontinuing their virtual appliances from distribution. In all, 287 software products have been updated, while 53 have been removed from distribution. Some of these critical corrections or updates included:

  • Dell EMC issued a critical security advisory for its CloudBoost Virtual Edition
  • Cisco published 15 security fixes found in one of its virtual appliances
  • IBM updated or removed 3 of its virtual appliances within one week
  • Symantec removed three poorly scoring products
  • Splunk, Oracle, IBM, Kaspersky Labs, and Cloudflare also removed products
  • Zoho updated half of its most vulnerable products
  • Qualys updated a 26-month-old virtual appliance that included a user enumeration vulnerability that Qualys itself had discovered and reported in 2018

Ensuring a more secure, safer cloud future

This research, and other investigations like it, will hopefully keep vendors diligent and transparent regarding maintaining their appliances. However, here are four steps your organization can take to reduce future risk from virtual appliances:

  1. Asset management can provide you with an understanding of the virtual appliances deployed across your organization. This must include both internal platforms and the public cloud. Don’t overlook informal deployments (shadow IT) and transient test environments.
  2. Vulnerability management tools can discover virtual appliances and scan for known vulnerabilities and other security issues. Ensure the vulnerability management process in your organization scans all virtual appliances; you cannot assume they’re safe to use as supplied by vendors.
  3. The vulnerability management process should prioritize actions to be taken by identifying the most severe vulnerabilities. In the short-term, there are two choices: fix a product or immediately stop using it.
  4. In the longer-term for running appliances, understand the support and patching practices of incumbent vendors. Get a clear statement on how they intend to fix vulnerabilities, if at all. Seek an alternative if a given vendor’s support processes are not satisfactory.
Only 8% of virtual appliances were free of known vulnerabilities based on scan of more than 2,000 images from 540 vendors. #cybersecurity #respectdataClick to Tweet