Contents:
A critical flaw affecting Illumina medical devices has been announced in an Industrial Control Systems (ICS) medical advisory issued by the United States Cybersecurity and Infrastructure Security Agency (CISA).
The flaws affect the Universal Copy Service (UCS) software in the Illumina MiSeqDx, NextSeq 550Dx, iScan, iSeq 100, MiniSeq, MiSeq, NextSeq 500, NextSeq 550, NextSeq 1000/2000, and NovaSeq 6000 DNA sequencing instruments.
CVSS Score: 10.0
The most severe flaw is CVE-2023-1968 (CVSS score: 10.0), which allows remote attackers to bind to exposed IP addresses and potentially eavesdrop on network traffic or remotely transmit arbitrary commands.
The second vulnerability is a privilege misconfiguration (CVE-2023-1966, CVSS score: 7.4) that allows an unauthenticated, remote attacker to upload and run code with administrative privileges.
Successful exploitation of these vulnerabilities could allow an attacker to take any action at the operating system level. (…) A threat actor could impact settings, configurations, software, or data on the affected product; a threat actor could interact through the affected product via a connected network.
The Food and Drug Administration (FDA) warned that an unauthorized user could exploit the flaw to compromise “genomic data results in the instruments intended for clinical diagnosis, including causing the instruments to provide no results, incorrect results, altered results, or a potential data breach.”
There is no proof that these two flaws have been used in an actual attack. It is advised that users update to the version that was patched on April 5, 2023.
This Happened Before
Serious problems with Illumina’s DNA Sequencing Devices have been discovered before. In June of 2022, the company announced several vulnerabilities with similar exploit potential, explains The Hacker News.
Almost a month after the FDA issued new guidance, medical device manufacturers have been put on notice that they must meet certain cybersecurity standards before submitting an application for a new product.
Included in this are processes to ensure the security of such devices via regular and out-of-band patches, as well as a plan to monitor, identify, and address “postmarket” cybersecurity vulnerabilities and exploits within a reasonable time period.
The alert published by CISA is available here.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.
Madalina, a seasoned digital content creator at Heimdal®, blends her passion for cybersecurity with an 8-year background in PR & CSR consultancy. Skilled in making complex cyber topics accessible, she bridges the gap between cyber experts and the wider audience with finesse.
