Half of all virtual appliances have outdated software and serious vulnerabilities

Virtual appliances are a popular way for software vendors to distribute their products to enterprise customers as they contain all the necessary pre-configured software stacks their applications need to function and can be deployed in public clouds or private data centers with ease. Unfortunately, enterprises are at risk of deploying images that are vulnerable out-of-the-box according to a new study. It found that many vendors, including well-established ones, do a poor job of patching flaws and updating the software components in their virtual appliances.

Few virtual appliances get good security grades  

Orca Security, a cloud security company, scanned more than 2,200 virtual appliance images from 540 vendors that were being distributed through the public marketplaces of common cloud platforms including VMware, Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform. The appliances were both commercial and free-to-use, contained both proprietary software and open-source, and were supplied by both security and non-security vendors.

The company created a scoring system from 0 to 100 that took into account whether the appliances were running supported or no longer supported operating system versions, contained one or more of 17 high-profile and high-risk vulnerabilities such as Heartbleed, EternalBlue and DirtyCOW, contained one or more other vulnerabilities rated above CVSS 9 (critical), or had one or more vulnerabilities rated between CVSS 7 and 9.

A grading system from A+ (exemplary) to F (failed) was also used. A virtual appliance would automatically fail the test if it had an unsupported operating system, contained four of the 16 high-profile vulnerabilities, had 20 or more flaws with CVSS 9 and higher, had 100 or more flaws with CVSS 7 to 9, or had more than 400 unique vulnerabilities. Fifteen percent of the tested appliances received an F and the lowest recorded score was 6 out of 100. Another 16% received a D rating (poor), 25% received a C (mediocre) and 12% a B (above average). Only 8% received an A+ and 24% an A.

In total, Orca’s scanning identified 401,571 vulnerabilities across 2,218 appliances. The subsequent notification of affected vendors resulted in 287 products being updated and 53 being removed from distribution. Some vendors had products at both ends of the spectrum. Some vendors were responsive, but others argued it was customers’ responsibility to update the appliance’s software and patch any existing flaws after deployment.

Infrequent virtual appliance updates

As expected, the number of vulnerabilities discovered per appliance was directly tied to how frequently the appliance was being updated by its publisher. Almost half hadn’t been updated by vendors over the past year and only 2.8% (64) had been updated within the month before Orca’s scans. Another 14% (312) had been updated within the previous three months.

Copyright © 2020 IDG Communications, Inc.

Source Article