Orca Security disclosed that it has found 401,571 vulnerabilities on 2,218 virtual appliance images from 540 software vendors.
CEO of Orca Security Avi Shua said virtual appliances are essentially black boxes that IT organizations assume are being patched regularly by the IT vendors that created them. As it turns out, however, less than 8% of the of the virtual appliances scanned by Orca Security were free of known vulnerabilities. Less than 5% of those appliances were both free of vulnerabilities and running on an operating system that is still being maintained, the report finds.
Since alerting vendors of these risks, 287 products have been updated with another 53 removed from distribution. For example, Dell EMC issued a critical security advisory; Cisco Systems published fixes to 15 found security risks; and IBM, Symantec, Kaspersky Labs, Oracle, Splunk, ZOHO and Cloudflare all removed outdated or vulnerable virtual appliances.
Ironically, Qualys updated a 26-month-old virtual appliance that included a user enumeration vulnerability that it itself had discovered and reported in 2018.
Orca Security reported 36,938 of the discovered vulnerabilities were being addressed. That leaves more than 300,000 vulnerabilities for internal cybersecurity teams to address, of which 17 have been deemed critical in that they involve well-known exploits such as EternalBlue, DejaBlue, BlueKeep, DirtyCOW and Heartbleed.
Shua said this issue with virtual machines is only coming to light now because Orca Security developed “side-scanning” technology that examines block storage out of band via a software-as-a-service (SaaS) platform to surface security issues involving vulnerabilities, malware, misconfigurations, leaked and weak passwords, lateral movement risks and high-risk data. That approach eliminates the need to deploy agent software and network scanners. In the case of virtual appliances, it’s not even possible to employ those technologies because the platform is controlled by the IT vendor, he said.
As part of its research, Orca Security made certain it only scanned the latest available version of a virtual appliance, Shua said. Older versions of an appliance that might contain more vulnerabilities were not included on the assumption that many of those vulnerabilities already had been addressed.
Overall, 15% of the virtual appliances received an F rating, while 56% obtained a C rating or below. The research found that only 312 of the virtual appliance images had been updated within the last three months, while 1,049 had not been updated within the last year. Only 110 had been neglected for at least three years, but 243 were running on out-of-date or end-of-life (EOL) operating systems. There is also no correlation between the size of the vendor that provided the virtual appliance and its relative security, Shua said.
Each IT organization will need to determine to what degree it should replace or update virtual machines on its network that, compared to the rest of their IT environment, are not as secure. Most organizations should assume that at the very least cybercriminals working on behalf of nation-states have already discovered many of these vulnerabilities. Starting today, of course, many others know as well.