The findings illuminated how thousands of cloud software solutions are being distributed by major companies like IBM, Dell, Oracle, Cisco, and Symantec with known, exploitable, and fixable security flaws.
Virtual appliances happen to be highly effective mediums for tech companies today to distribute their software. However, just like any piece of technology, they too are vulnerable.
A recent report by Orca Security effectively demonstrates so by scanning over 2,218 virtual appliance images that belong to 540 different Software companies with the majority of these located in North America – 69.3% of the entire pie. The results were very alarming as about 401,571 vulnerabilities were found in total.
See: Hackers exploit VPN, Windows flaws to influence US elections
These vulnerabilities could be traced to approximately 497 companies with the remaining 43 being completely free of vulnerabilities. Examples of the latter include Trend Micro, BeyondTrust, Pulse Secure, and Versasec.
To take things a step further and to get a more comprehensive picture, the researchers divided all of these software vendors into different categories based on their security strength as shown in the figure below:
Explaining the criteria used to assign an A grade, Orca states in its report that,
If a virtual appliance had no fixable vulnerabilities, and its operating system was currently maintained and supported, it would achieve a maximum score of 100. Of the 2,218 virtual appliances tested, only 4.6% (103) received this score.
What’s disappointing in this though is that the 15% failed lot includes renewable companies such as Intel, Cloudflare, and Symantec. This raises a serious question on their credibility as a compromise was inevitable of their virtual appliances with the serious vulnerabilities found.
Nonetheless, Orca Security informed all the relevant companies of their findings in order to fix the situation at hand. However, only 80 of them managed to reply back with 24 of these deeming the vulnerabilities as “non-exploitable” and therefore refusing to take any action.
This could seriously haunt these companies in the future as it is only a matter of time before hackers could find a way to make a vulnerability “exploitable”.
The ones who did respond positively include tech notables such as Cisco, IBM, Symantec, and Dell who have performed different actions according to the requirements of the specific virtual appliance including updating them, issuing patches, or removing the products entirely.
For example, Symantec had 4 appliances out of which only 1 was given an A grade, 1 a D, and 2 simply found themselves in the F grade category. Seeing this, they have ended the distribution of all but the A grade appliance.
See: 55 Apple vulnerabilities risked iCloud account takeover, data theft
To conclude, research reports of this type are very helpful in supporting companies on the cybersecurity front. They help them recognize the flaws in their systems which have been left undetected by their own cybersecurity teams and so it is always beneficial to have a second pair of eyes.
A thing of concern though remains in the vendors who either did not reply or did not agree to issue any patch which would no doubt place a great number of customers at risk. Keeping this in mind, we would recommend enterprise and normal users alike to try to stick with reputable companies who would actually take action when faced with such reports.