Escalating threats targeting the hypervisor are driving more enterprises to reconsider how they host their tier-one applications.
Australian enterprises of all types have grown accustomed to running their application estates on virtualised server infrastructure.
The trend towards server virtualisation grew out of a desire to reduce physical server sprawl, power costs and requirements for data centre space. This could be accomplished by having multiple virtual servers (virtual machines) running inside of a single physical server using a hypervisor, driving up utilisation – in a Gartner analystโs words – to deliver โthe most efficient compute per kilowattโ.
While this produced good results for many years, for organisations that still run some or most of their application estate on virtualised on-premises server hardware, it is fast becoming a โlegacy platformโ, due to growing security threats and technical debt against hypervisor software that is central to its operation.
Since 2020, in the predominant (but not only) virtualisation ecosystem VMware (purchased by Broadcom in 2023), 334 vulnerabilities were assigned a Common Vulnerabilities and Exposures (CVE) identifier, signalling that they are an important solution that should be a part of an organisationโs patch management strategy and require attention by security professionals to prioritise their remediation.
According to CVE Details, one-in-five vulnerabilities were rated โcriticalโ; that is, if exploited, they could lead to the affected VMware solution being compromised. And the trend is rising. The number of hypervisor-based vulnerabilities with CVE identifiers is increasing, and the expectation is that the number and severity of threats against hypervisors will continue to escalate.
For enterprises with large virtualised server footprints on-premises or under direct administration in their own or co-located data centre space, itโs a question of de-risking and mitigation. Delaying critical patches will only lead to unacceptable risks.
But remediation may not be simple.
The problem is paramount for tier-one applications executing as virtual machines on on-premises servers. This subset of mission-critical software suites would cripple key business functions or the ability to generate revenue if they were to go offline, even for a short period of time during a hypervisor patching cycle. It becomes impractical to take tier one virtual machines offline periodically to patch hypervisors based on an emerging threat. ย Therefore, alternative options will need to be considered.
Mapping all the available mitigation options
Despite their age, two vulnerabilities – assigned CVE-2021-21974 and CVE-2020-3992 – are symptomatic of the broader threat facing heavily virtualised on-premises environments. If conditions for exploitation are met, both could lead to a full hypervisor outage including the entire application estate that relies on the hypervisor for virtualisation.
Given the threat of this occurring, the first reaction of SecOps teams is likely to be to try and patch the vulnerabilities, but this generally means having to take the entire hypervisor offline and either pausing or stopping all virtual machines that are hosted. ย And considering the frequency and criticality of these vulnerabilities, this workflow could happen multiple times a year taking the entire environment intentionally offline.
Organisations that have gone all-in on server virtualisation can have dozens to hundreds of virtual machines in operation on one hypervisor. The ability to set up an emergency patching window and take these machines down will depend on the severity of the vulnerability, and the mission-critical nature of the workloads running on these machines.
Either way, patching may require a lengthy outage window. In a 24×7 business, or one with operations in multiple geographies working to a โfollow the sunโ model, this is likely to be unacceptable. This is especially the case when hypervisors housing tier-one software applications are needed to keep business operations running smoothly or even remote access to the hypervisor itself like DNS and DHCP.
Still, the threat of all tier-one applications on virtualised infrastructure being taken offline by an attack against the hypervisor is a key concern that needs to be addressed – today.
Organisations realistically have three options available to mitigate the threat, aside from just continuing as-is.
Two of these options involve drawing a line and stopping the inclusion of tier-one applications in virtual environments altogether. In one of these options, organisations can avoid hypervisor-based risks by reverting to running the application on-premises on physical hardware. While more secure, this kind of hands-on hardware approach may not even be possible for some organisations.
The other option here would be to move the virtual machines – and the tier-one applications hosted in those machines – out from dedicated on-premises infrastructure into a platform-as-a-service or similar managed environment. This has the advantage of the cloud provider maintaining and patching the infrastructure, removing that burden and providing the high availability needed for business operations.
The third option is for organisations to commit to modernisation of their application ecosystem, adopting Software-as-a-Service (SaaS) in place of on-premises versions of software. For cloud-oriented organisations, this may be a desired end state for much of the application estate anyway, and so the growing security threats against virtualised on-premises infrastructure may serve as a driver to speed up application estate modernisation efforts.
Determining which option is the best will vary, depending on an enterpriseโs individual circumstances. If they havenโt already, organisations should tier their application estate by mission criticality – such that they understand the subset of applications that are tier-one and require immediate remediation and dependencies they have for the organisation. Then, they should carefully consider whether moving the VM to the cloud, or moving to a SaaS-based solution, would better serve the needs of the business when frequent hypervisor patching is required to maintain an acceptable security posture.
Whatever path is decided, the payoff is in no longer having to accept the risk of having unpatched hypervisors that could be exploited by attackers, leading to extensive business downtime. Given rising threats targeting hypervisors, a new plan is a prudent business decision everyone should consider today.