The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an Industrial Control Systems (ICS) medical advisory warning of a critical flaw impacting Illumina medical devices.
The issues impact the Universal Copy Service (UCS) software in the Illumina MiSeqDx, NextSeq 550Dx, iScan, iSeq 100, MiniSeq, MiSeq, NextSeq 500, NextSeq 550, NextSeq 1000/2000, and NovaSeq 6000 DNA sequencing instruments.
The most severe of the flaws, CVE-2023-1968 (CVSS score: 10.0), permits remote attackers to bind to exposed IP addresses, thereby making it possible to eavesdrop on network traffic and remotely transmit arbitrary commands.
The second issue relates to a case of privilege misconfiguration (CVE-2023-1966, CVSS score: 7.4) that could enable a remote unauthenticated malicious actor to upload and execute code with elevated permissions.
“Successful exploitation of these vulnerabilities could allow an attacker to take any action at the operating system level,” CISA said. “A threat actor could impact settings, configurations, software, or data on the affected product; a threat actor could interact through the affected product via a connected network.”
The Food and Drug Administration (FDA) said an unauthorized user could weaponize the shortcoming to impact “genomic data results in the instruments intended for clinical diagnosis, including causing the instruments to provide no results, incorrect results, altered results, or a potential data breach.”
There is no evidence that the two vulnerabilities have been exploited in the wild. Users are recommended to apply the fixes released on April 5, 2023, to mitigate potential threats.
This is not the first time severe flaws have come to light in Illumina’s DNA Sequencing Devices. In June 2022, the company disclosed multiple similar vulnerabilities that could have been abused to seize control of affected systems.
The disclosure comes almost a month after the FDA issued new guidance that will require medical device makers to adhere to a set of cybersecurity requirements when submitting an application for a new product.
This includes a plan to monitor, identify, and address “postmarket” cybersecurity vulnerabilities and exploits within a reasonable time period, and design and maintain processes to ensure the security of such devices via regular and out-of-band patches.