When deploying new software for your enterprise, there are a number of things to consider: cost, hardware, and what value it provides. One area of consideration often lacking is how to ensure the software stays up to date and doesn’t become a security liability. Containerized applications usually excel in this area because they can be deployed and upgraded with ease. In a lot of cases you just restart the application and it’s automatically updated to the latest version. Virtual appliances follow a similar idea, keeping the application isolated to its own virtual environment so that it can be managed with ease. Containers and virtual appliances aren’t magic - they require long term management from whoever publishes them to stay secure. What happens when vendors forget about their own virtual appliances? Orca Security, a security company focusing on cloud applications, recently set out to answer this question.
In a quest to quantify the state of virtual appliance security, Orca recently scanned over 2200 virtual appliances from 540 vendors. Before actually running the scans, they devised a scoring system ranging from 0-100 taking into account factors such as operating system version and application version. They also looked for known vulnerabilities such as HeartBleed, DirtyCOW, and many high CVSS scoring vulnerabilities in both the system as a whole and the specific applications running on the appliance. This system was used to grade appliances from A+ to F based on the numerical score.
The results of their scans were concerning. Only 8% of the appliances scanned received an A+ rating. 12% received a B rating, 25% received a C rating, 16% received a D rating, with the remaining 15% of the appliances receiving an F rating. Over 400,000 vulnerabilities were found across all the scanned appliances once everything was complete. Unsurprisingly it was found that appliances which received more frequent updates fared better in the vulnerability scans. They found that almost half of the appliances had received no updates in the year before their scans started. Only 16.8% of them had been updated in the 3 months leading up to the scanning.
Orca believes that poor internal security processes are responsible for the majority of the vulnerable appliances. When appliances or software reach end of life they remain available for an unknown amount of time, resulting in people actually using them. In some cases, the publisher may not even be aware that they’re still offering severely outdated software for download. It is important to verify that your infrastructure remains patched and up to date, virtual or not.