Companies are working with petabytes of data every day. This data is collected across thousands of inputs from questionnaires to cookies then processed to provide key indicators for products and services. This workload requires a lot of processing power, storage, organization, etc. which means you need a lot of servers to run handling all of the internal and external operations. This would be incredibly expensive to purchase hardware for each task, so companies are heavily leaning on Virtual Machines (VM) to be able to have the machines needed with far less hardware required.
A virtual machine is essentially a computer within a computer. With the proper hardware, a server can run multiple virtual machines, so you are able to run 10 servers but only have to purchase one physical server. Having all of this at your fingertips makes management much easier but requires proper training for deployment. Virtual machines regularly run the same operating system as the physical server, or host machine is running. This allows for all of the benefits of the operating system, but also the downfalls. It’s important to understand that network vulnerabilities still exist on virtual machines especially if they have network shares mapped and full Internet connectivity.
Understanding these points, there are other potential vulnerabilities that can be introduced when deploying virtual machines. These are usually brought onto the physical server by the virtual machine management solution. These management solutions include VMWare vCenter/vSphere, Hyper-V, Veeam ONE, etc. Vulnerabilities in software is common and this software is no different. Staying up to date on releases and news from your management solution is imperative to stay ahead of any recently found vulnerabilities.
Recent vulnerabilities affecting virtual machines
In 2020, VMWare had to send out an emergency patch to fix a critical vulnerability. This vulnerability had the potential to provide access to vCenter Server and other services that relied on the Directory Service for authentication. The vulnerability existed in the HTTPS plugin of the vCenter dashboard. The attacker would be able to gain remote code injection with escalated privileges on the device. They would be able to run commands without having to be able to authenticate at all.
Again in 2021, VMWare issued an emergency patch in February after a proof of concept was released for another critical vulnerability. This exploit, when addressed, was noted to have around 6700 vCenter servers vulnerable and accessible over the internet. The PoC was released before VMware was aware of the vulnerability which means there were quite a few scans launched against vCenter servers. A considerable number of scans were launched by the Chinese researcher that released the PoC in order to track it.
This was another HTTPS targeted attack to gain access to vCenter which could lead to access through to the entire network. Mass scanning was launched to find this vulnerability before the PoC was released and VMware was able to respond. Having this information before the vendor is known as a Zero-Day vulnerability. The attack was a simple string sent using the command line tool curl to exploit the HTTPS vulnerability.
Lessons Learned
With all of this in mind, it is important to look not just at the benefits but the potential downfalls of virtual machines. They bring in a huge ease of management with all of the machines being in one area, no physical hardware failures on any of the machines except of the host, physical space can be reduced as well as the need to purchase multiple physical servers and many other cost saving benefits. However, there are downsides to virtual machines as we have seen. The software that is required to manage these virtual machines can become a target for adversaries. If you only have one host machine running all of your critical components, this turns into a single point of failure for both operations and security.
When weighing the options between going with a virtual infrastructure, ensure you are assessing the risks for your critical infrastructure. Once the infrastructure is in place, similar to physical servers, they still require maintenance, monitoring, and periodic testing for vulnerabilities. A thorough vulnerability assessment should be performed periodically in order to be proactive. Your security posture can benefit greatly for recurring vulnerability assessments as they will look at patch management as well as known vulnerabilities in the wild that may affect your network. Further, to curb the threat of non-catalogued threats and zero-days, a thorough accounting of your risk stature and anomalous behavior monitoring should also be taken into account. Shadowscape offers thorough vulnerability assessments and even more comprehensive Threat Preparation Assessments to marry risk to vulnerabilities and threats, designed to mature your security posture to proactivity.