400,000 Vulnerabilities and Counting

Study Finds 2,200 Virtual Appliances with 400,000 Vulnerabilities and Outdated Software

Virtual appliances have been eliminating the need for dedicated hardware across all services. They are often less expensive and just as easy to deploy as-is on cloud platforms. However these types of appliances can also pose a risk to organizations across all critical infrastructure sectors, even if provided by major vendors.

400,000 Vulnerabilities and Outdated Software

Orca Security, a provider of security scanning tools, disclosed that it had found 401,571 vulnerabilities on 2,218 virtual appliance images from 540 vendors. Virtual appliances are essentially black boxes that IT organizations assume are being patched regularly by the IT vendors that created them.  Many virtual appliances that were being distributed through the public marketplaces of common cloud platforms, such as AWS, Azure, VMware, and Google Cloud Platform. Orca stated that in many cases, that these virtual appliances are often the same as provided directly by major vendors.

Before making their findings public, Orca contacted each of the impacted vendors. Orca claimed that the affected vendors addressed around 36,000 of the 400,000 identified vulnerabilities. 287 products were patched while 53 of the virtual appliances were removed altogether. That leaves more than 300,000 vulnerabilities for internal cybersecurity teams to address, of which 17 have been deemed critical, as they included well-known exploits such as EternalBlue, DejaBlue, BlueKeep, DirtyCOW, and Heartbleed. Reluctant vendors said it was up to customers to ensure that their virtual appliances were patched, while others refused to take any action, arguing that the identified vulnerabilities were not exploitable.

As part of its research, Orca Security made certain in only scanned the latest available version of a virtual appliance. Overall, 15% of the appliances received an F rating, while 56% obtained a C rating or below. Orca noted that more expensive products did not necessarily result in better security compared to less expensive or free appliances. In many cases, vendors had top marks, but fell short in security measures. The data presented serves only as a guide, providing an idea as to how vendors approach the support and maintenance of their virtual appliances.

Recommendations for organizations to reduce the risk posed by the use of virtual appliances include:

  • Asset management for keeping track of virtual appliances
  • Include all virtual appliances in regular network/vulnerability scans; do not assume they are safe
  • A focused vulnerability management process that prioritizes the most serious issues; integrating threat intelligence into your vuln management and CI/DC pipeline via CYR3CON’s PR1ORITY, AI-driven predictive threat platform
  • Contact respective vendors to understand their support process and how arising vulnerabilities are addressed; seek an alternative if a given vendor’s support processes are not satisfactory

CYR3CON offers a Predictive Threat Assessment to GRF customers. Take advantage of the offer and receive a list of targeted vulnerabilities and have access to PR1ORITY reporting for 7 days.