Only eight percent of virtual appliances are free of vulnerabilities
Virtual appliances are an inexpensive and relatively easy way for software vendors to distribute their wares for customers to deploy in public and private cloud environments, but new research shows appliances often have exploitable and fixable vulnerabilities, or are running on outdated or unsupported operating systems.
The Orca Security research study found 401,571 total vulnerabilities in scanning 2,218 virtual appliance images from 540 software vendors. This means less than eight percent of virtual appliances were free of known vulnerabilities.
"Customers assume virtual appliances are free from security risks, but we found a troubling combination of rampant vulnerabilities and unmaintained operating systems," says Avi Shua, Orca Security's CEO and co-founder. "The Orca Security 2020 State of Virtual Appliance Security Report shows how organizations must be vigilant to test and close any vulnerability gaps, and that the software industry still has a long way to go in protecting its customers."
The research has identified 17 critical vulnerabilities deemed to have serious implications if found unaddressed in a virtual appliance. Some of these well known and easily exploitable vulnerabilities including: EternalBlue, DejaBlue, BlueKeep, DirtyCOW, and Heartbleed.
Of those looked at 15 percent of virtual appliances received an F rating, deemed to have failed the research test while 56 percent obtained a C rating or below. However, retesting of 287 updates made by software vendors after receiving the findings revealed the average grade of these re-scanned virtual appliances increased from a B to an A.
Age and update frequency are an issue too. The research finds that only 14 percent (312) of the virtual appliance images had been updated within the last three months. 47 percent (1,049) had not been updated within the last year, five percent (110) had been neglected for at least three years, and 11 percent (243) were running on out of date or end of life operating systems.
Orca suggests that vendors should ensure their virtual appliances are well maintained and that new patches are provided as vulnerabilities are identified. When vulnerabilities are discovered, the product should be patched or discontinued for use. It also suggests the use of vulnerability management tools to scan all virtual appliances for vulnerabilities before use.
You can read more and get the full report on the Orca blog.