Many organizations take advantage of hardware virtualization, and VMware is a market leader in the virtual infrastructure space with its ESXi, vCenter and other offerings. Like Microsoft, VMware is security conscious and routinely provides updates and patches to address known vulnerabilities.
Yet time and again, our internal scans of client environments show that companies ironically fail to patch their virtual infrastructure, even though in many cases they’re faithfully patching the Microsoft virtual servers that depend on it.
Why You Need to Install VMware Patches Regularly
If you have virtual hardware and/or virtual operating system environments in place, you need to plan for and patch those environments on a routine basis just as you do Microsoft environments.
Just like with Microsoft products, vulnerabilities in virtual machine products run the gamut for DDoS to remote code execution to man-in-the-middle flaws. Many of these are critical vulnerabilities that could give attackers privileged access to data and services.
For example, in December 2016, new VMware patches were meant to remediate critical vulnerabilities in its ESXi and vSphere Data Protection (VDP) products. VMware stated that VDP includes a private SSH key with a known password that permits key-based authentication. A hacker with access to the network could exploit this flaw to log into the compromised appliance with root privileges.
Similarly, in November 2016, VMware quickly turned around a patch for a critical code execution flaw that could have allowed an attacker to access a virtual instance and run code on the host system. Fortunately, it appears that researchers (who won a $150,000 reward) found this vulnerability before the hackers did.
Overall, there were 24 VMware security vulnerabilities issued in 2016, as security experts and hackathon competitors directed increasing effort towards VMware products.
As the above notes illustrate, it is equally important to patch VMware systems as it is to patch Microsoft systems. Regular patching not only helps close security loopholes, but also helps eliminate bugs, reduce downtime and avoid unexpected problems in your IT environment.
I’m not sure why VMware patching seems comparatively “patchy” (pardon my pun). Perhaps admins consider Microsoft server patches, application patches, desktop patches, etc. to all be higher priority. Perhaps VMware doesn’t do quite as good a job as Microsoft in organizing and disseminating its patches. Maybe maintaining virtual systems isn’t seen as critical in relation to operating systems and applications.
But from a security perspective, virtual infrastructure is just as important as any other component of the IT environment and offers just as many opportunities for hackers to compromise your systems and data.
To talk over how a hands-on vulnerability assessment and/or an expert assessment of your VMware patch management program can help your company’s information security posture, contact Pivot Point Security.
More Information About Cyber Security for Virtual Environments
- VMware’s security advisories page—as you’ll see if you browse these, there are a wide range of vulnerabilities from SSH key-based authentication issues to cross-site scripting to local privilege escalation and so on.
- VMware’s security hardening guides
- A presentation on virtualization security best practices
- The “top 11” virtualization risks