Security issues keep cropping up: Cisco vulnerability joins Samsam, Spectre and Meltdown in new roster
Anyone thinking that the turn of a new year would inhibit the constant stream of security vulnerabilities can be forgiven such optimism. But reality set in just days after the New Year in the form of Samsam, Spectre and Meltdown, and the perhaps lesser-known new cyber flaws in products from Cisco and Smiths Medical.
Let’s start with Cisco. The networking giant warned of holes that enable perpetrators to remotely launch a denial of service attack via its Cisco Adaptive Security Appliance.
“A successful attack may allow the attacker to execute arbitrary code and obtain full control of the affected device,” according to Lee Kim, HIMSS Director of Privacy and Security, who authored the just-published January edition of the Healthcare and Cross-Sector Cybersecurity Report.
Cisco released software patches to solve the problem. Likewise Smiths Medical, which updated its firmware to fix security flaws in Medfusion 4000 devices prone to buffer overflow exploits opening the door to remote code execution or denial of service attacks.
Let’s not neglect Spectre and Meltdown — the highest-profile security problem in some time, particularly among Intel chips.
Everyone from cloud service providers to software vendors to original equipment manufactures “should stop deployment of current versions as they may introduce higher than expected reboots and other unpredictable behavior,” Kim noted.
Intel reportedly said a fix is forthcoming. Exactly when? That is no more understood right now than the initial attack vector for Samsam. What we do know is that the variant is deployed manually and some victims, most notably perhaps EHR maker Allscripts, have had external-facing apps and servers compromised.
“Another thing to note is that the General Data Protection Regulation is coming into force on May 25, 2018,” Kim added. “So a lot of U.S. hospitals and others have concerns and questions on whether they need to comply, how to comply, etc.”
GDPR, there’s that. Infosec pros might as well get used to it and start to grasp the impact now.