Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

10/13/2020
05:00 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Orca Security Research Reveals How Software Industry Unwittingly Distributes Virtual Appliances with Known Vulnerabilities

NEWS HIGHLIGHTS

Software vendors are often distributing their wares on virtual appliances with exploitable and fixable vulnerabilities, and running on outdated or unsupported operating systems:

  • The Orca Security research study found 401,571 total vulnerabilities in scanning 2,218 virtual appliance images from 540 software vendors.
  • Less than 8 percent of virtual appliances were free of known vulnerabilities. Meanwhile, less than 5 percent were both free of vulnerabilities and running on a maintained operating system.
  • The research has started to move the cloud security industry to a safer future. Since alerting vendors of these risks, 287 products have been updated and 53 removed from distribution, leading to 36,938 discovered vulnerabilities being addressed.
  • For example, Dell EMC issued a critical security advisory; Cisco published fixes to 15 found security risks; and IBM, Symantec, Kaspersky Labs, Oracle, Splunk, ZOHO and Cloudflare all removed outdated or vulnerable virtual appliances.

LOS ANGELES – October 13, 2020 – The “Orca Security 2020 State of Virtual Appliance Security” report found that as evolution to the cloud is accelerated by digital transformation across industries, keeping virtual appliances patched and secured has fallen behind. The report illuminated major gaps in virtual appliance security, finding many are being distributed with known, exploitable and fixable vulnerabilities and on outdated or unsupported operating systems.

To help move the cloud security industry towards a safer future and reduce risks for customers, Orca Security analyzed 2,218 virtual appliance images from 540 software vendors for known vulnerabilities and other risks to provide an objective assessment score and ranking.

Virtual appliances are an inexpensive and relatively easy way for software vendors to distribute their wares for customers to deploy in public and private cloud environments.

“Customers assume virtual appliances are free from security risks, but we found a troubling combination of rampant vulnerabilities and unmaintained operating systems,” said Avi Shua, Orca Security CEO and co-founder. “The Orca Security 2020 State of Virtual Appliance Security Report shows how organizations must be vigilant to test and close any vulnerability gaps, and that the software industry still has a long way to go in protecting its customers.”

Top report findings include:

Known Vulnerabilities Run Rampant

Most software vendors are distributing virtual appliances with known vulnerabilities and exploitable and fixable security flaws.

  • The research found that less than 8 percent of virtual appliances (177) were free of known vulnerabilities. In total, 401,571 vulnerabilities were discovered across the 2,218 virtual appliances from 540 software vendors.
  • For this research, Orca Security identified 17 critical vulnerabilities deemed to have serious implications if found unaddressed in a virtual appliance. Some of these well-known and easily exploitable vulnerabilities included: EternalBlue, DejaBlue, BlueKeep, DirtyCOW, and Heartbleed.
  • Meanwhile, 15 percent of virtual appliances received an F rating, deemed to have failed the research test.
  • More than half of tested virtual appliances were below an average grade, with 56 percent obtaining a C rating or below (15.1 percent F; 16.1 percent D; 25 percent C).
  • However, due to Orca Security’s retesting of the 287 updates made by software vendors after receiving findings, the average grade of these rescanned virtual appliances has increased from a B to an A.

Outdated Appliances Increase Risk

Multiple virtual appliances were at security risk from age and lack of updates. The research found that most vendors are not updating or discontinuing their outdated or end-of-life (EOL) products.

  • The research found that only 14 percent (312) of the virtual appliance images had been updated within the last three months.
  • Meanwhile, 47 percent (1,049) had not been updated within the last year; 5 percent (110) had been neglected for at least three years, and 11 percent (243) were running on out of date or EOL operating systems.
  • Although, some outdated virtual appliances have been updated after initial testing. For example, Redis Labs had a product that scored an F due to an out-of-date operating system and many vulnerabilities, but now scored an A+ after updates.

The Silver Lining

Under the principle of Coordinated Vulnerability Disclosure, Orca Security researchers emailed each vendor directly, giving them the opportunity to fix their security issues.

Fortunately, the tests have started to move the cloud security industry forward. As a direct result of this research, vendors reported to Orca Security that 36,938 out of 401,571 vulnerabilities have been removed by patching or discontinuing their virtual appliances from distribution. Some of these key corrections or updates included:

  • Dell EMC issued a critical security advisory for its CloudBoost Virtual Edition
  • Cisco published fixes to 15 security issues found in one of its virtual appliances scanned in the research
  • IBM updated or removed three of its virtual appliances within a week
  • Symantec removed three poorly scoring products
  • Splunk, Oracle, IBM, Kaspersky Labs and Cloudflare also removed products
  • Zoho updated half of its most vulnerable products
  • Qualys updated a 26-month-old virtual appliance that included a user enumeration vulnerability that Qualys itself had discovered and reported in 2018

Maintaining Virtual Appliances

For customers and software vendors concerned about the issues illuminated in the report, there are corrective and preventive actions that can be taken.

Software suppliers should ensure their virtual appliances are well maintained and that new patches are provided as vulnerabilities are identified. When vulnerabilities are discovered, the product should be patched or discontinued for use. Meanwhile, vulnerability management tools can also discover virtual appliances and scan them for known issues. Finally, companies should also use these tools to scan all virtual appliances for vulnerabilities before use as supplied by any software vendor.

Report Resources Now Available:

About Orca Security

Orca Security is the cloud security innovation leader, providing instant-on, workload-level security and visibility for AWS, Azure, and GCP without the gaps in coverage and operational costs of agents.

Delivered as SaaS, Orca Security’s patent-pending SideScanning™ technology reads your cloud configuration and workloads’ runtime block storage out-of-band, detecting vulnerabilities, malware, misconfigurations, lateral movement risk, weak and leaked passwords, and unsecured PII.

Orca Security deploys in minutes – not months – because no opcode runs within your cloud environment. With Orca, there are no overlooked assets, no DevOps headaches, and no performance hits on live environments.

And unlike legacy tools that operate in silos, Orca treats your cloud as an interconnected web of assets, prioritizing risk based on environmental context. This does away with thousands of meaningless security alerts to provide just the critical few that matter, along with their precise path to remediation.

Connect your first cloud account in minutes and see for yourself. Visit orca.security.

About the Orca Security 2020 State of Virtual Appliance Security Report

The Orca Security 2020 State of Virtual Appliance Security Report was a wide-reaching research and testing project to benchmark the current state of virtual appliance security. Between April 20 and May 20, 2020, Orca Security scanned 2,218 virtual appliance images from 540 software vendors for known vulnerabilities and other risks to provide an objective assessment score and ranking.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
CVE-2021-32553
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.
CVE-2021-32554
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the xorg package apport hooks, it could expose private data to other local users.