Cybersecurity: How safe are your virtual appliances?

This article first appeared in The Edge Malaysia Weekly, on November 2, 2020 - November 08, 2020.

“Make sure that you use something that is the main product of the company. Otherwise, you might be stuck with something that is not maintained well.” - Shua

-A +A

Just as robbers can break into your house to steal your physical appliances, hackers can do the same with your virtual appliances that use cloud services.

In fact, virtual appliances may be more vulnerable. After conducting a test on over 2,000 virtual appliances from 540 vendors this year, Orca Security found that only 8% were free of known vulnerabilities. Even products by some established brands were found to be riddled with them. These results are published in The Orca Security 2020 State of Virtual Appliance Security report.

A virtual appliance refers to a software application that resides and operates in a preconfigured virtual environment or platform, according to Techopedia (see box story).

“The barrier to entry for selling a physical appliance [for business purposes] is higher. But the barrier to entry for selling a virtual appliance is low because it’s a software. That’s why there are many vendors offering it these days. But it seems like a lot of them do not ensure that it’s updated and maintained properly,” says Avi Shua, CEO and co-founder of Orca Security.

The company used its patent-pending SideScanning technology and found that 15% of software vendors failed its test, while less than 10% had no known vulnerabilities. Some well-known vendors such as Intel and Symantec had products at both ends of the spectrum.

In addition, only 14% of the tested virtual appliance images have been updated within the last three months, while 47% have not been updated in the past year. The pricier virtual appliances do not necessarily achieve higher scores either.

The SideScanning technology targets 16 vulnerabilities in virtual appliances that could present risks. In the worst-case scenario, exploit codes may target the known vulnerabilities and enable attacks. SideScanning also uncovers misconfigurations, weak authentication and insecure data, among other problems.

Fortunately, some vendors have taken action after receiving Orca Security’s report. Overall, 534 products named have been updated and 39 removed from distribution. Among the companies that took the results seriously were Cisco, Intel, Dell, IBM, TrendMicro and Qualys.

Shua advises businesses to work with reputable vendors when selecting virtual appliances going forward. Users should demand regular software updates and patches for any known vulnerabilities, he adds.

“Also, make sure that you use something that is the main product of the company. Otherwise, you might be stuck with something that is not maintained well.”

The vendors with higher scores in the report were more likely to respond to Orca Security’s emails, Shua observes. This shows that these companies probably have dedicated security teams to handle any problem.

“I’m a big believer of basic cybersecurity. People like to talk about complex solutions but they should make sure that their basics are handled well. If vendors are still shipping solutions with thousands of known vulnerabilities, then there is no need to talk about advanced cybersecurity. On the flip side, we’ve seen vendors that have processes that continuously maintain and update their appliances,” says Shua.

Scores Examples of virtual appliances tested
Exemplary BeyondInsight by BeyondTrust, version 3.2 UVM 3.2.0 BI 6.9.0
TensorFlow from NVIDIA AMI, version 20.03.1, running on Ubuntu 18.04
Well maintained HashiCorp Vault OSS, version vault-1.3.2-20200129.01 (Fixed version issued after notification)
Above average OpenVPN Access Server (500 connected devices) version 2.7.5
(Updated version issued after notification)
Mediocre Qualys Virtual Firewall Appliance HVM version Qualys-WAF-AWS-1.4.0 running Centos 6.9 (Updated version issued after notification)
Dell EMC CloudBoost Virtual Edition, version 19.2 (Critical security advisory issued after report)
Poor Symantec Protection Engine for Cloud Services on Linux (BYOL), version 8.0.0 (Product removed after notification)
Failed Redis Enterprise Software (RS) versions 5.4.6-18 (Product updated after notification)
Symantec Control Compliance Suite – BYOL 11.1 (Product removed after notification)

What is a virtual appliance?

According to Orca Security, IT systems have always depended on appliances to perform specific functions, such as network routing and security screening.

In the past, these appliances came in hardware form and were installed in data centre racks next to servers. The appliances were costly, so businesses only purchased a limited number of them.

Nowadays, the appliances are virtual, much like software, and cost way less than hardware. This has resulted in a proliferation of affordable virtual appliances that can be easily deployed within private or public cloud platforms.

Meanwhile, customers just use the images provided by the appliance via a user interface. Many of these appliances are free to use and many are available via marketplaces associated with major cloud platforms, including Amazon Web Services and Microsoft Azure.