Illumina DNA Sequencing Instruments Expose Critical Security Vulnerabilities, CISA Warns
CISA has issued a medical advisory highlighting a critical vulnerability in the Universal Copy Service (UCS) software of Illumina’s DNA sequencing instruments.
The flaw affects multiple Illumina devices, including the MiSeqDx, NextSeq 550Dx, iScan, iSeq 100, MiniSeq, MiSeq, NextSeq 500, NextSeq 550, NextSeq 1000/2000, and NovaSeq 6000. The vulnerability, CVE-2023-1968, has a CVSS score of 10.0 and allows remote attackers to bind to exposed IP addresses, potentially enabling them to eavesdrop on network traffic and send arbitrary commands.
The vulnerability in the Universal Copy Service (UCS) software affects various Illumina DNA sequencing instruments, including the iSeq 100, MiSeq, NextSeq 550Dx, and NovaSeq 6000. The flaw with the CVE-2023-1966 identifier and a CVSS score of 7.4 involves a privilege misconfiguration that could enable an unauthorized attacker to upload and execute code with elevated permissions remotely.
CISA says this on its website: “Successful exploitation of these vulnerabilities could allow an attacker to take any action at the operating system level. A threat actor could impact settings, configurations, software, or data on the affected product; a threat actor could interact through the affected product via a connected network.”
FDA (Food and Drug Administration) says An unauthorized user could exploit this vulnerability to initiate malicious activities and cause significant damage: “Genomic data results in the instruments intended for clinical diagnosis, including causing the instruments to provide no results, incorrect results, altered results, or a potential data breach.”
In the wake of the critical flaws discovered in Illumina’s DNA Sequencing Instruments, it’s worth noting that this is not the first instance of such vulnerabilities in the devices. In June 2022, the company revealed multiple similar weaknesses that could have enabled attackers to take control of impacted systems.
This latest revelation comes at a time when the FDA has issued new guidelines requiring medical device manufacturers to adhere to a set of cybersecurity regulations when submitting an application for a new product. The regulations include monitoring, identifying, and addressing cybersecurity threats and vulnerabilities within a reasonable timeframe and establishing processes to ensure the security of these devices through regular and out-of-band patches.
ALSO READDangers of Public Salesforce Site