CISA Issues Warning About Serious Flaws in Illumina DNA Sequencing Systems
To Mitigate Potential Security Risks, Users Are Advised to Patch.
A critical flaw affecting Illumina medical devices has been announced in an Industrial Control Systems (ICS) medical advisory issued by the United States Cybersecurity and Infrastructure Security Agency (CISA).
The flaws affect the Universal Copy Service (UCS) software in the Illumina MiSeqDx, NextSeq 550Dx, iScan, iSeq 100, MiniSeq, MiSeq, NextSeq 500, NextSeq 550, NextSeq 1000/2000, and NovaSeq 6000 DNA sequencing instruments.
CVSS Score: 10.0
The most severe flaw is CVE-2023-1968 (CVSS score: 10.0), which allows remote attackers to bind to exposed IP addresses and potentially eavesdrop on network traffic or remotely transmit arbitrary commands.
Successful exploitation of these vulnerabilities could allow an attacker to take any action at the operating system level. (…) A threat actor could impact settings, configurations, software, or data on the affected product; a threat actor could interact through the affected product via a connected network.
The Food and Drug Administration (FDA) warned that an unauthorized user could exploit the flaw to compromise “genomic data results in the instruments intended for clinical diagnosis, including causing the instruments to provide no results, incorrect results, altered results, or a potential data breach.”
There is no proof that these two flaws have been used in an actual attack. It is advised that users update to the version that was patched on April 5, 2023.
This Happened Before
Serious problems with Illumina’s DNA Sequencing Devices have been discovered before. In June of 2022, the company announced several vulnerabilities with similar exploit potential, explains The Hacker News.
Almost a month after the FDA issued new guidance, medical device manufacturers have been put on notice that they must meet certain cybersecurity standards before submitting an application for a new product.
Included in this are processes to ensure the security of such devices via regular and out-of-band patches, as well as a plan to monitor, identify, and address “postmarket” cybersecurity vulnerabilities and exploits within a reasonable time period.
The alert published by CISA is available here.