Recurring critical vulnerabilities for VMware products this year indicate a worrying trend for customers that suggests the virtualization leader is taking a more reactive approach to security.
The company's VMware Horizon product got hit hard by the Log4j vulnerability, and earlier this month VMware found itself entangled in an emergency directive from the Cybersecurity and Infrastructure Security Agency (CISA) that impacts up to 10 VMware products.
It was the 10th emergency directive issued by CISA since the agency was founded in late 2018.
Virtualization software is ubiquitous and managing the technology is further complicated by its many parts, ExtraHop CISO Jeff Costlow wrote in an email. Threat actors target vulnerabilities across these disaggregated systems before patches are released or deployed by impacted organizations.
VMware’s reputation in this regard has also taken a hit.
“Sometimes past performance is an indicator of future performance. In other words, when there are bugs or vulnerabilities in software, there are often more bugs,” Costlow wrote.
Threat actors search for vulnerabilities in commonly used software, he said. ExtraHop estimates roughly 8% of enterprise environments are potentially at risk from VMware’s latest vulnerability disclosure.
VMware’s omnipresence in enterprise and government infrastructure makes it a particularly opportunistic target for threat actors with the potential for widespread ramifications. VMware Horizon is a widely used virtual desktop application that allows workers to operate remotely.
It’s a frequent problem that impacts many popular vendors, creating a tension in the security market more broadly.
But VMware is far from the worst offender with security vulnerabilities. Five of the 10 CISA emergency directives issued to date involved Microsoft products with similarly critical concerns.
The Log4j vulnerability earned emergency directive status from CISA too.
Urgent or not, vulnerabilities are common and being discovered more frequently at large, a likely response to the increase in major disruptions such as Log4j of late, said Allie Mellen, an analyst at Forrester.
“As we speed up the delivery of certain types of software, especially in the cloud, these patches are going to be more and more frequent,” Mellen said. “It's just inevitable that we're going to see more frequent development cycles, and therefore more frequent patching and updates to protect systems.”
VMware has fallen into a common pattern of late with vulnerability disclosures leading to security updates followed soon after by more exploits. Threat actors have quickly targeted unpatched VMware systems after vulnerabilities are disclosed, and more recently threat actors reverse engineered a VMware update to exploit unpatched systems within 48 hours.
Enterprises and government agencies are exposed to these threats in part because of how pervasive VMware products are in their underlying technology and infrastructure. Its foundational technology allows enterprises to run multiple applications and workloads as virtual machines in an abstraction layer on on-premises or cloud-provider hardware.
Alongside vulnerabilities and their far-reaching impact on customers, VMware has to worry about new corporate owners. Broadcom on Thursday announced its plan to acquire VMware for $61 billion, effectively making VMware’s security risk Broadcom's problem if the deal closes.
VMware acknowledged product risks, including the Log4j vulnerability and heightened permissions required by its products, in its latest 10-K filing with the U.S. Securities and Exchange Commission.
“We may not be able to anticipate the techniques used in such attacks, as they change frequently and may not be recognized until launched or at all,” VMware wrote in the filing. “Our products and services are highly technical and complex and, when deployed, contain errors, defects or security vulnerabilities, some of which may not be discovered before or after a product or service has been released, installed and used.”
VMware did not respond to questions for this article.
The nature of the vulnerabilities, as described by CISA’s emergency directive, is highly concerning because attackers can run malicious code from a remote location and bypass typical controls such as authentication or access permissions, said Dale Gardner, a senior director analyst at Gartner.