An Adobe Flash Ghost May Be Haunting Your Data Center
Flash may be dead, but it lingers in more enterprise data centers than you may think, creating a massive vulnerability.
Adobe's Flash Player officially hit its end of life on January 1, 2021. It was a security risk while it was still alive. To data centers, it’s even more of a risk now that it's dead.
That’s because the technology is often embedded into other systems, some of which may be critical for data center operations.
A Troubled History
The tool, known at the time as Macromedia Flash, was first released 25 years ago to add interactive graphics to websites. In addition to making the internet more annoying, it was used for casual games like Zynga’s FarmVille (which sucked up endless work hours, destroying productivity).
The proprietary platform was often criticized for its non-standard design, problems with accessibility, its tendency to degrade performance, and its abuse by advertisers.
More critically, it was a cybersecurity nightmare. Last spring, Flash made the list of CISA's ten most exploited vulnerabilities of the previous three years. Mitre lists more than 1,000 Adobe Flash vulnerabilities.
Flash ranks 14th on the list of products ranked by the number of vulnerabilities – one of only two applications in the top 25 that aren’t operating systems or browsers. The second one, Acrobat, is also an Adobe product.
At its worst, in 2015, four of the five most exploited zero-days were in Flash, according to Symantec.
This means that if there's an old version of Flash running somewhere in your environment, it might have more than one thousand known vulnerabilities – on top of any zero-days attackers might have up their sleeves.
Why Flash Is So Hard to Eradicate
It's a mistake to think that Flash is all about online ads and casual games, irrelevant to data center cybersecurity managers.
It's embedded deep into many critical systems.
For example, HP and VMware often used Flash to present device management information, said Ron Machol, presale account manager at data center infrastructure management company MagicFlex.
"They eventually started moving over to HTML5," he told DCK. "But plenty of data centers have old versions still that are using Flash. Many of the customers we talk to don't even realize that they have Flash."
Data center managers need to identify all the firmware and software that might be using Flash and come up with an upgrade plan. Sometimes that can be a problem because of dependencies on other systems, he said.
"And sometimes you can't upgrade because there's no newer version or its end-of-life itself," he added.
If that happens, data centers will need to set up a security zone around the vulnerable system, he said.
"Put it in some sort of DMZ, some area that's completely separate from anywhere else," he said. "So that any security issue that's raised by Flash can't get to the rest of the data center."
In an ideal world, everyone would be running the latest version of every system, said Eytan Kaplan, head of marketing and sales at MagicFlex. "But then you go into all your data centers and in real life they're maybe not state of the art. People are using devices from three, four, five – even eight years ago."
One customer, a large Japanese tire manufacturer, uses eight-year-old networking devices, he said. And in an on-prem data center, systems are interconnected.
A virtual connection manager might be using Flash, and to move off of it, a data center might need to upgrade its blades. However, the new version might not work well with existing switches.
"Our customers are facing that all the time," Kaplan said. "It's a nightmare."
As more and more data centers shift to the cloud, this is becoming less of a problem. "But older data centers face this configuration management issue every day," he said.
Software Inventories Often Out of Date
But before a data center can even start to address its Flash problems (and other legacy software risks) it first has to find that software.
According to a survey released by Ponemon Institute and ServiceNow last summer, only 44 percent of companies said they were able to patch vulnerabilities in a timely manner. And in organizations that had a breach in the previous two years, 60 percent said a patch was available but had not been applied.
And 52 percent of respondents said they were at a disadvantage because they used manual processes.
One MagicFlex customer, a large bank, started preparing for Flash end of life last November, said the bank's director of IT infrastructure. For security reasons, he did not want to be quoted by name.
"Our data center is a complex multi-vendor infrastructure, and we had to check each vendor's devices separately," he said.
The bank thought it got them all. "We thought that we were fully prepared and covered against all threats that might be caused by the Flash security vulnerability," he said.
But after running a data center audit using MagicFlex, it discovered that two management utilities for data center devices had Flash as part of their user interfaces.
It would have been almost impossible to find this manually, he said.
"It's not something that people think they have a problem with," said Kaplan. "It's hidden. It's not on the surface. That's why it's such a perfect loophole for hackers."
Some of the common data center products that use Flash are HPE VCM version 4.8 and earlier, VMware v6.5 and earlier, some of the older versions of Hitachi Storage Navigator, EMC Unified Infrastructure Manager v4.1, Avaya Pod Orchestration Suite, NetApp OnCommand Unified Manager Core (DFM) 5.2.X, and Dell VNXe Unisphere.
"We estimate that about half of data centers are still exposed," said Kaplan.
Any end-of-life software poses security risks. Unless it was built in the last year or so, every data center has some end-of-life software somewhere in its infrastructure, he said.