Endpoint/Device Security, Vulnerability Management

Critical bug in genome sequencing device scores ’10’ on CVSS ratings

Digital generated image of DNA

A critical vulnerability, with the highest possible CVSS score of 10, was discovered in Illumina's genome sequencing tool that allows an adversary to remotely upload and execution code on targeted systems.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) both issued alerts urging network admin to apply available patches.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) both issued alerts urging network admin to apply available patches. The bug was found in Illumina's Universal Copy Service function. According to researchers, the bug (CVE-2023-1968) can be exploited remotely and is easy to trigger with a "low attack complexity."

The CVE carries a CVSS v3 score: 10.0 is one of two bugs found within the platform. The second bug, tracked as CVE-2023-1966, carries a CVSS v3 score of 7.4 and considered a high risk.

"Successful exploitation of these vulnerabilities could allow an attacker to take any action at the operating system level. A threat actor could impact settings, configurations, software, or data on the affected product; a threat actor could interact through the affected product via a connected network," according to the CISA alert.

The two bugs are a binding to an unrestricted IP address flaw and an execution with unnecessary privileges and found in versions of iScan Control Software, iSeq 100, MiniSeq, MiSeqDX, NextSeq, and NovaSeq products. These tools perform various next-gen sequencing, as well as bioinformatics.

According to the FDA, these are medical devices for either research use or clinical diagnostic use for the sequencing of individuals’ DNA for genetic conditions.

The critical flaws are tied to the universal copy service function v2.x of the platform, which copies the sequencing output files from the device’s run folder to the output folder. However, it’s bound to an unrestricted IP address, which could allow an unauthenticated attacker to use the UCS to listen on all IP addresses, including those that accept remote communications.

High severity bug

Meanwhile, the “unnecessary privileges” vulnerability ranked 7.4 in severity is found in instruments leveraging both v1.x and v2.x platforms. The flaw could enable an unauthenticated threat actor to remotely upload and execute code at the operating system level, allow them to change settings, configurations and software, or even access sensitive information.

The FDA warns an attacker would not need to gain credentials to remotely deploy malicious activities, including the possible alteration of data contained on both the instrument or customers’ networks. An exploit could also impact the result of genetic data contained on the instruments, leading “the instruments to provide no results, incorrect results, altered results, or a potential data breach.”

“At this time, the FDA and Illumina have not received any reports indicating this vulnerability has been exploited,” according to the alert.

Illumina reported the vulnerability to CISA and created guidance for system users based on specific configurations to mitigate the impact. The company has already developed a software patch to protect against exploit.

The FDA is urging “providers and laboratory personnel to be aware of the required actions to mitigate these cybersecurity risks.” For many of the impacted devices, configuration is recommended for the UCS account credentials, while other systems’ software will need to be updated.

Illumina also created instructional videos for clients, which is protected from external access by the use of credentials. The company directly sent notices about the vulnerabilities to users earlier this month, urging them to look out for signs of exploit on the impacted devices.

Fortunately, there have been no public exploits reported targeting these flaws. But as that can quickly change given the state of the threat landscape, CISA recommends network defenders take defensive measures to minimize the risk of exploit, including minimizing the exposure for all control systems and devices and preventing access from the internet.

Virtual Private Networks should be used when remote access is required or another secure method. But VPNs come with their own vulnerabilities, so defenders should ensure the tools are updated to the most current version to reduce possible risks.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.