CISA warns of a critical flaw affecting Illumina medical devices

U.S. CISA released an Industrial Control Systems (ICS) medical advisory warning of a critical flaw affecting Illumina medical devices.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an Industrial Control Systems (ICS) medical advisory warning of vulnerabilities that could allow an attacker to take any action at the operating system level.

The issues impact the following products using the Illumina Universal Copy Service: 

• iScan Control Software: v4.0.0
• iScan Control Software: v4.0.5
• iSeq 100: All versions
• MiniSeq Control Software: v2.0 and newer
• MiSeq Control Software: v4.0 (RUO Mode)
• MiSeqDx Operating Software: v4.0.1 and newer
• NextSeq 500/550 Control Software: v4.0
• NextSeq 550Dx Control Software:  v4.0 (RUO Mode)
• NextSeq 550Dx Operating Software:  v1.0.0 to 1.3.1
• NextSeq 550Dx Operating Software: v1.3.3 and newer
• NextSeq 1000/2000 Control Software: v1.4.1 and prior
• NovaSeq 6000 Control Software: v1.7 and prior
• NovaSeq Control Software: v1.8

The above medical devices are used either in clinical diagnostic use in sequencing a person’s DNA for various genetic conditions or for research use only (RUO).

“Successful exploitation of these vulnerabilities could allow an attacker to take any action at the operating system level. A threat actor could impact settings, configurations, software, or data on the affected product; a threat actor could interact through the affected product via a connected network.” reads the Industrial Control Systems Medical Advisory published by CISA.

The most severe of the vulnerabilities, tracked as CVE-2023-1968 (CVSS score: 10.0), allows an unauthenticated, remote attacker to bind to an unrestricted IP address. An attacker could use UCS to listen on all IP addresses, including those capable of accepting remote communications. 

A remote attacker can potentially eavesdrop on network traffic and inject arbitrary commands.

The second issue reported in the advisory, tracked as CVE-2023-1966 (CVSS score: 7.4), is an unnecessary privileges vulnerability.

“An unauthenticated malicious actor could upload and execute code remotely at the operating system level, which could allow an attacker to change settings, configurations, software, or access sensitive data on the affected product.” continues the advisory.

The Food and Drug Administration (FDA) also published an advisory that remarks that an unauthorized attacker can exploit the first vulnerability by:

• taking control remotely;
• altering settings, configurations, software, or data on the instrument or a customer’s network; or
• impacting genomic data results in the instruments intended for clinical diagnosis, including causing the instruments to provide no results, incorrect results, altered results, or a potential data breach.

“At this time, the FDA and Illumina have not received any reports indicating this vulnerability has been exploited.” reads the alert published by FDA. “llumina developed a software patch to protect against the exploitation of this vulnerability. The FDA wants health care providers and laboratory personnel to be aware of the required actions to mitigate these cybersecurity risks.”

The good news is that there is no evidence that the two vulnerabilities have been exploited in the wild.

The company urges customers to install the security updates released on April 5, 2023.

Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

• The Teacher – Most Educational Blog
• The Entertainer – Most Entertaining Blog
• The Tech Whizz – Best Technical Blog
• Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)