Study Finds 400,000 Vulnerabilities Across 2,200 Virtual Appliances

Virtual appliances, even if they are provided by major software or cybersecurity vendors, can pose a serious risk to organizations, according to a report published on Tuesday by cloud visibility firm Orca Security.

Virtual appliances can be highly useful to organizations as they eliminate the need for dedicated hardware, they are often inexpensive or free, they are easy to configure and maintain, and they can be easily deployed on cloud platforms. Many virtual appliances can be used as provided.

Orca Security used its SideScanning technology to check virtual appliances for vulnerabilities and outdated operating systems. The company scanned a total of more than 2,200 virtual appliances from 540 vendors in April and May, and identified over 400,000 vulnerabilities.

The virtual appliances were obtained from marketplaces associated with cloud platforms such as AWS, VMware, Google Cloud Platform, and Microsoft Azure, but Orca says these virtual appliances are in many cases the same as the ones provided directly by vendors.

Orca’s analysis, which involved giving each appliance a security risk score ranging between 0 and 100, found that appliances from 8% of vendors had no issues. These vendors, which got an A+ grade, include Trend Micro, Pulse Secure, BeyondTrust and Versasec.

Nearly a quarter of the tested vendors had virtual appliances that got an A grade and 12% got a B. However, 15% of the tested appliances got an F, including ones from CA Technologies, Software AG, Intel, Zoho, Symantec, A10 Networks, Cloudflare and Micro Focus.

However, Orca noted that some vendors had some of their appliances graded A or A+ and other appliances graded F. This includes Intel, Symantec, Soho, Cognosys and Tibco.

Orca contacted each of the impacted vendors before making its findings public. The company says vendors have addressed roughly 36,000 of the 400,000 identified vulnerabilities, either by deploying patches or by removing the virtual appliance altogether. Specifically, 287 products have been updated and 53 have been removed.

The list of companies that have taken action includes Dell EMC, Cisco, IBM, Symantec, Splunk, Oracle, Kaspersky, Cloudflare, Zoho, and Qualys.

On the other hand, some vendors said it was up to customers to ensure that their virtual appliances are patched, while others refused to take any action, arguing that the identified vulnerabilities were not exploitable. Unsurprisingly, some vendors threatened to take legal action against Orca.

One interesting observation made by the cybersecurity firm is that more expensive products did not obtain a higher score compared to less expensive and even free products.

“Simply because a vendor scores top marks doesn’t mean all its virtual appliances are guaranteed to be risk-free. The data presented serves only as a guide, providing an idea as to how vendors approach the support and maintenance of their virtual appliances. Some scored well and deserve a measure of trust. Others have done badly, and their products should be approached with caution,” Orca said in its report.

The company has also shared some recommendations for organizations to reduce the risk posed by the use of virtual appliances. This includes asset management for keeping track of virtual appliances, vulnerability management tools that can discover weaknesses, and a vulnerability management process that prioritizes the most serious issues.

Orca’s State of Virtual Appliance Security 2020 Report is available on the company’s website.

Related: Virtualized Cloud Visibility Firm Orca Security Raises $20.5 Million

Related: Over 22,000 Vulnerabilities Disclosed in 2019: Report