Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Study Finds 400,000 Vulnerabilities Across 2,200 Virtual Appliances

Virtual appliances, even if they are provided by major software or cybersecurity vendors, can pose a serious risk to organizations, according to a report published on Tuesday by cloud visibility firm Orca Security.

Virtual appliances, even if they are provided by major software or cybersecurity vendors, can pose a serious risk to organizations, according to a report published on Tuesday by cloud visibility firm Orca Security.

Virtual appliances can be highly useful to organizations as they eliminate the need for dedicated hardware, they are often inexpensive or free, they are easy to configure and maintain, and they can be easily deployed on cloud platforms. Many virtual appliances can be used as provided.

Orca Security used its SideScanning technology to check virtual appliances for vulnerabilities and outdated operating systems. The company scanned a total of more than 2,200 virtual appliances from 540 vendors in April and May, and identified over 400,000 vulnerabilities.

The virtual appliances were obtained from marketplaces associated with cloud platforms such as AWS, VMware, Google Cloud Platform, and Microsoft Azure, but Orca says these virtual appliances are in many cases the same as the ones provided directly by vendors.

Orca’s analysis, which involved giving each appliance a security risk score ranging between 0 and 100, found that appliances from 8% of vendors had no issues. These vendors, which got an A+ grade, include Trend Micro, Pulse Secure, BeyondTrust and Versasec.

Nearly a quarter of the tested vendors had virtual appliances that got an A grade and 12% got a B. However, 15% of the tested appliances got an F, including ones from CA Technologies, Software AG, Intel, Zoho, Symantec, A10 Networks, Cloudflare and Micro Focus.

However, Orca noted that some vendors had some of their appliances graded A or A+ and other appliances graded F. This includes Intel, Symantec, Soho, Cognosys and Tibco.

Vulnerabilities in virtual appliances

Orca contacted each of the impacted vendors before making its findings public. The company says vendors have addressed roughly 36,000 of the 400,000 identified vulnerabilities, either by deploying patches or by removing the virtual appliance altogether. Specifically, 287 products have been updated and 53 have been removed.

Advertisement. Scroll to continue reading.

The list of companies that have taken action includes Dell EMC, Cisco, IBM, Symantec, Splunk, Oracle, Kaspersky, Cloudflare, Zoho, and Qualys.

On the other hand, some vendors said it was up to customers to ensure that their virtual appliances are patched, while others refused to take any action, arguing that the identified vulnerabilities were not exploitable. Unsurprisingly, some vendors threatened to take legal action against Orca.

One interesting observation made by the cybersecurity firm is that more expensive products did not obtain a higher score compared to less expensive and even free products.

“Simply because a vendor scores top marks doesn’t mean all its virtual appliances are guaranteed to be risk-free. The data presented serves only as a guide, providing an idea as to how vendors approach the support and maintenance of their virtual appliances. Some scored well and deserve a measure of trust. Others have done badly, and their products should be approached with caution,” Orca said in its report.

The company has also shared some recommendations for organizations to reduce the risk posed by the use of virtual appliances. This includes asset management for keeping track of virtual appliances, vulnerability management tools that can discover weaknesses, and a vulnerability management process that prioritizes the most serious issues.

Orca’s State of Virtual Appliance Security 2020 Report is available on the company’s website.

Related: Virtualized Cloud Visibility Firm Orca Security Raises $20.5 Million

Related: Over 22,000 Vulnerabilities Disclosed in 2019: Report

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.