Continued weaknesses place VMware under pressure for security improvement
In the realm of cybersecurity, software giants like VMware are under increasing scrutiny. Recently, threat actors have been found searching for vulnerabilities in VMware's software, a concerning development that has negatively impacted VMware's reputation.
These vulnerabilities often lie in disaggregated systems, making them particularly dangerous as they can be targeted before patches are released or deployed. A recent estimate by ExtraHop suggests that approximately 8% of enterprise environments could be at risk from VMware's latest vulnerability disclosure.
One such vulnerability, affecting the VMware Horizon product, was the Log4j vulnerability. The frequency of such vulnerability discoveries seems to be on the rise, likely due to an increase in major disruptions like Log4j.
VMware's ubiquitous virtualization software, used extensively in enterprise and government infrastructure, allows for the running of multiple applications and workloads as virtual machines. This omnipresence makes it a particularly opportunistic target for threat actors.
Threat actors have been quick to exploit unpatched VMware systems after vulnerabilities are disclosed. In some cases, they have even reversed engineered VMware updates to exploit unpatched systems within 48 hours.
The nature of these vulnerabilities, as described by CISA's emergency directive, is highly concerning. Attackers can run malicious code from a remote location and bypass typical controls such as authentication or access permissions.
This is not the first time VMware has found itself under an emergency directive from CISA. Five of the ten such directives issued to date involved Microsoft products with similarly critical concerns.
The latest emergency directive issued by CISA impacts up to 10 of VMware's products. VMware did not respond to questions for this article.
Corporate stakeholders are seeking to understand the risk calculus of their technology stacks, questioning if they are potential targets. Dale Gardner, a senior director analyst at Gartner, has stated that the nature of these vulnerabilities indicates more bugs in the future.
The potential acquisition of VMware by Broadcom for $61 billion could make VMware's security risks Broadcom's problem if the deal closes. However, the implications of this acquisition for cybersecurity are yet to be fully understood.
It is important to note that Dale Gardner, the American astronaut, does not currently work at any company related to this story.
This marks the 10th emergency directive issued by CISA since its foundation in late 2018. The Log4j vulnerability also earned emergency directive status from CISA, underscoring the severity of the issue.
In its latest 10-K filing with the U.S. Securities and Exchange Commission, VMware acknowledged product risks, including the Log4j vulnerability and heightened permissions required by its products. As the landscape of cybersecurity continues to evolve, it is crucial for companies like VMware to address these vulnerabilities promptly and effectively.
