Endpoint/Device Security, Vulnerability Management

FDA urges patch of Illumina devices with three critical flaws ranked 10 in severity

Providers are urged to immediately patch certain Illumina devices that contain vulnerabilities, three of which are ranked as 10 in severity. Pictured: A sign for the Food And Drug Administration is seen outside of the headquarters on July 20, 2020 in White Oak, Maryland. (Photo by Sarah Silbiger/Getty Images)

Providers should “immediately download and install” a patch for certain Illumina devices, which the manufacturer issued last month. The software update fixes critical flaws in a range of devices that could put patient safety at risk, according to an FDA letter to the healthcare sector.

The Cybersecurity Infrastructure and Security Agency released an alert on June 2, detailing the vulnerabilities found in certain Illumina In Vitro Diagnostic devices and Researcher Use Only (ROU) instruments. The platforms rely on Local Run Manager (LRM) software, which contain a number of high-severity vulnerabilities.

Illumina issued the software update to its healthcare clients last month. As the healthcare sector often struggles with patch management and prioritization, the FDA and CISA warnings should move the vulnerable Illumina products to the top of the patching queue.

The LRM used in these products contain five vulnerabilities, of which, 10 are ranked critical in severity. The 10.0 base score is a rare occurrence, let alone three 10.0 scores for one element. For reference, the prolific Log4j also received a 10-ranking.

The 10.0 vulnerabilities in the LRM include ‘execution with unnecessary privileges,’ meaning the LRM uses elevated privileges. CISA warns that an unauthenticated threat actors could exploit the flaw to “upload and execute code remotely at the operating system level.”

A successful attack would enable the actor to “change settings, configurations, software, or access sensitive data on the affected product,” or “access APIs not intended for general use and interact through the network.”

One other 10.0 vulnerability is caused by an improper limitation of a pathname to a restricted directory, which would allow a hacker to upload outside of the intended directory structure. 

Further, the LRM doesn’t restrict the file types able to be uploaded to the impacted products, which means an attacker could upload any file type, “ including executable code that allows for a remote code exploit.

The FDA warned that a successful exploit of these flaws could impact “patient test results in the instruments intended for clinical diagnosis, including causing the instruments to provide no results or incorrect results, altered results, or a potential data breach.”

The two remaining vulnerabilities, one ranked 9.1 and the other ranked 7.4 in severity, are caused by the LRM failing to use authentication or authorization by default and one LRM version failing to implement TLS encryption.

An exploit of these flaws could let an attacker inject, replay, modify, and/or intercept sensitive data, or launch a man-in-the-middle attack to access sensitive data in transit, including credentials.

“Illumina has developed a software patch to protect against the exploitation of this vulnerability and is working to provide a permanent software fix for current and future instruments,” according to the FDA. The patch should be immediately applied to impacted products, including “each stand-alone instance of the off-instrument LRM for RUO mode on the Dx instruments.” 

Healthcare providers should review the urgent safety notification or product quality notification sent by Illumina on May 3, or contact the manufacturer if they use the impacted products and did not receive notification.

CISA also recommends healthcare provider organizations take defensive action to prevent possible exploit, including minimizing network exposure for all control system devices, isolating remote devices and systems behind a firewall and separate from the business network, and employ a secure method when remote access is required.

Fortunately, Illumina and the FDA have not received any reports that indicate the vulnerability has yet been exploited in the wild. Both parties are coordinating with CISA to prevent and communicate any adverse events tied to the vulnerability. The FDA will notify providers if any new information comes to light.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.