The U.S. Cybersecurity Infrastructure Security Agency (CISA) and the FDA have issued an pressing alert about two vulnerabilities that affect Illumina’s Universal Copy Service (UCS), used for DNA sequencing in medical services and labs worldwide.
“An unauthenticated malicious actor may add and execute code remotely on the working system stage, which may enable an attacker to vary settings, configurations, software program, or entry delicate knowledge on the affected product,” warns a CISA advisory launched yesterday.
Illumina is a California-based medical expertise firm that develops and manufactures superior bioanalysis and DNA sequencing machines. The firm’s gadgets are probably the most extensively used for DNA sequencing in medical settings, analysis organizations, educational establishments, biotechnology corporations, and pharmaceutical firms in 140 nations.
“On April 5, 2023, Illumina despatched notifications to affected prospects instructing them to examine their devices and medical gadgets for indicators of potential exploitation of the vulnerability,” reads an advisory by the FDA.
“Some of those devices have a twin boot mode that enables a consumer to function them in both medical diagnostic mode or RUO mode. Devices meant for RUO are sometimes in a improvement stage and should be labeled “For Research Use Only. Not for use in diagnostic procedures.” – although some laboratories could also be utilizing them with assessments for medical diagnostic use.”
The first vulnerability is tracked as CVE-2023-1968 (CVSS v3 rating: 10.0, “critical”). It permits distant attackers to bind to uncovered IP addresses, permitting an unauthenticated attacker to eavesdrop on all community site visitors to seek out additional susceptible hosts on a community.
The potential affect of this flaw contains sending instructions to the impacted software program, modifying settings, and doubtlessly accessing knowledge.
The second flaw is CVE-2023-1966 (CVSS v3 rating: 7.4, “high”), which is a safety misconfiguration permitting customers of UCS to execute instructions with elevated privileges.
The flaws affect the next Illumina merchandise:
- iScan Control Software: v4.0.0
- iScan Control Software: v4.0.5
- iSeq 100: All variations
- MiniSeq Control Software: v2.0 and newer
- MiSeq Control Software: v4.0 (RUO Mode)
- MiSeqDx Operating Software: v4.0.1 and newer
- NextSeq 500/550 Control Software: v4.0
- NextSeq 550Dx Control Software: v4.0 (RUO Mode)
- NextSeq 550Dx Operating Software: v1.0.0 to 1.3.1
- NextSeq 550Dx Operating Software: v1.3.3 and newer
- NextSeq 1000/2000 Control Software: v1.7 and prior
- NovaSeq 6000 Control Software: v1.7 and prior
- NovaSeq Control Software: v1.8
The vulnerabilities don’t affect software program variations not specified within the above checklist, and therefore no actions must be taken.
The really helpful motion depends upon the product and particular system configuration, and Illumina has printed a bulletin that advises on what steps to soak up every case.
The really helpful measure usually includes updating the system software program utilizing the product-specific installer, configuring UCS account credentials, and shutting firewall ports.
CISA additionally recommends that customers of medical gadgets decrease the publicity of management programs to the web as a lot as potential, utilizing firewalls to isolate them from the broader community and utilizing VPNs when distant entry is required.