The US Cybersecurity Infrastructure Security Agency (CISA) and the FDA have issued an urgent alert regarding two vulnerabilities that affect Illumina’s Universal Copy Service (UCS), used for DNA sequencing in medical facilities and laboratories around the world.
“An unauthenticated malicious actor could remotely download and execute code at the operating system level, which could allow an attacker to modify settings, configurations, software or access sensitive data on the product concerned”, warns a CISA Council released yesterday.
Illumina is a California-based medical technology company that develops and manufactures advanced bioanalytical and DNA sequencing machines. The company’s devices are one of the most widely used for DNA sequencing in clinical settings, research organizations, academic institutions, biotechnology companies and pharmaceutical companies in 140 countries.
“On April 5, 2023, Illumina sent notices to affected customers asking them to check their medical instruments and devices for signs of potential exploitation of the vulnerability,” reads a statement. FDA notice.
“Some of these instruments have a dual-start mode that allows a user to operate them in either clinical diagnostic mode or RUO mode. Devices intended for RUO are generally in the development stage and should be labeled “For Research Only . Not for use in diagnostic procedures. – although some laboratories may use them with tests for clinical diagnostic purposes.”
The first vulnerability is identified as CVE-2023-1968 (CVSS v3 score: 10.0, “critical”). It allows remote attackers to bind to exposed IP addresses, allowing an unauthenticated attacker to eavesdrop on all network traffic to find other vulnerable hosts on a network.
The potential impact of this flaw includes sending commands to the impacted software, changing settings, and potentially accessing data.
The second flaw is CVE-2023-1966 (CVSS v3 score: 7.4, “high”), which is a security misconfiguration allowing UCS users to execute commands with elevated privileges.
The defects affect the following Illumina products:
- iScan Control Software: v4.0.0
- iScan Control Software: v4.0.5
- iSeq 100: all versions
- MiniSeq Control Software: v2.0 and newer
- MiSeq Control Software: v4.0 (RUO mode)
- MiSeqDx operating software: v4.0.1 and newer
- NextSeq 500/550 Control Software: v4.0
- NextSeq 550Dx Control Software: v4.0 (RUO mode)
- NextSeq 550Dx Operating Software: v1.0.0 to 1.3.1
- NextSeq 550Dx Operating Software: v1.3.3 and newer
- NextSeq 1000/2000 Control Software: v1.7 and earlier
- NovaSeq 6000 Control Software: v1.7 and earlier
- NovaSeq Control Software: v1.8
The vulnerabilities do not affect software versions not specified in the list above and therefore no action should be taken.
The recommended action depends on the specific product and system configuration, and Illumina published a newsletter who advises on the measures to be taken in each case.
The recommended action often involves updating system software using the product-specific installer, setting up UCS account credentials, and closing firewall ports.
CISA also recommends that medical device users minimize the exposure of control systems to the Internet as much as possible, using firewalls to isolate them from the larger network and using VPNs when remote access is needed.