The US Cybersecurity and Infrastructure Security Agency (CISA) has released an Industrial Control System (ICS) medical advisory alert about a critical flaw impacting Illumina medical devices.
The issue affects Universal Copy Service (UCS) software on Illumina MiSeqDx, NextSeq 550Dx, iScan, iSeq 100, MiniSeq, MiSeq, NextSeq 500, NextSeq 550, NextSeq 1000/2000, and NovaSeq 6000 DNA sequencing instruments.
The most severe flaw, CVE-2023-1968 (CVSS score: 10.0), allows a remote attacker to bind to an exposed IP address, making it possible to eavesdrop on network traffic and send arbitrary commands remotely.
The second issue relates to a privilege misconfiguration case (CVE-2023-1966, CVSS score: 7.4) which could allow a remote unauthenticated malicious actor to upload and execute code with higher permissions.
“Successful exploitation of this vulnerability allows an attacker to take any action at the operating system level,” CISA said. “Threat actors may affect settings, configurations, software, or data on the affected product; threat actors may interact through the affected product via connected networks.”
Food and Drug Administration (FDA) said unauthorized users could weaponize such flaws to influence “the results of genome data in instruments intended for clinical diagnosis, including causing the instrument to yield no results, erroneous results, altered results, or potential data breaches.”
There is no evidence that these two vulnerabilities have been wildly exploited. Users are advised to apply fixes released on April 5, 2023, to mitigate potential threats.
This isn’t the first time a severe flaw has been revealed in the Illumina DNA Sequencing Toolkit. In June 2022, the company disclosed several similar vulnerabilities that could be abused to take hold of affected systems.
The disclosure came nearly a month after the FDA published new guidelines requiring medical device makers to comply with a series of cybersecurity requirements when submitting applications for new products.
This includes plans to monitor, identify, and address “post-market” cybersecurity vulnerabilities and exploits within a reasonable timeframe, as well as designing and maintaining processes to ensure the security of such devices through regular and out-of-band patches.