The U.S. Cybersecurity Infrastructure Security Agency (CISA) and the FDA have issued an urgent alert about two vulnerabilities that impact Illumina’s Universal Copy Service (UCS), used for DNA sequencing in medical facilities and labs worldwide.
“An unauthenticated malicious actor could upload and execute code remotely at the operating system level, which could allow an attacker to change settings, configurations, software, or access sensitive data on the affected product,” warns a CISA advisory released yesterday.
Illumina is a California-based medical technology company that develops and manufactures advanced bioanalysis and DNA sequencing machines. The company’s devices are one of the most widely used for DNA sequencing in clinical settings, research organizations, academic institutions, biotechnology firms, and pharmaceutical companies in 140 countries.
“On April 5, 2023, Illumina sent notifications to affected customers instructing them to check their instruments and medical devices for signs of potential exploitation of the vulnerability,” reads an advisory by the FDA.
“Some of these instruments have a dual boot mode that allows a user to operate them in either clinical diagnostic mode or RUO mode. Devices intended for RUO are typically in a development stage and must be labeled “For Research Use Only. Not for use in diagnostic procedures.” – though some laboratories may be using them with tests for clinical diagnostic use.”
The first vulnerability is tracked as CVE-2023-1968 (CVSS v3 score: 10.0, “critical”). It allows remote attackers to bind to exposed IP addresses, allowing an unauthenticated attacker to listen in on all network traffic to find further vulnerable hosts on a network.
The potential impact of this flaw includes sending commands to the impacted software, modifying settings, and potentially accessing data.
The second flaw is CVE-2023-1966 (CVSS v3 score: 7.4, “high”), which is a security misconfiguration allowing users of UCS to execute commands with elevated privileges.
The flaws impact the following Illumina products:
- iScan Control Software: v4.0.0
- iScan Control Software: v4.0.5
- iSeq 100: All versions
- MiniSeq Control Software: v2.0 and newer
- MiSeq Control Software: v4.0 (RUO Mode)
- MiSeqDx Operating Software: v4.0.1 and newer
- NextSeq 500/550 Control Software: v4.0
- NextSeq 550Dx Control Software: v4.0 (RUO Mode)
- NextSeq 550Dx Operating Software: v1.0.0 to 1.3.1
- NextSeq 550Dx Operating Software: v1.3.3 and newer
- NextSeq 1000/2000 Control Software: v1.7 and prior
- NovaSeq 6000 Control Software: v1.7 and prior
- NovaSeq Control Software: v1.8
The vulnerabilities do not impact software versions not specified in the above list, and hence no actions need to be taken.
The recommended action depends on the product and specific system configuration, and Illumina has published a bulletin that advises on what steps to take in each case.
The recommended measure often involves updating the system software using the product-specific installer, configuring UCS account credentials, and closing firewall ports.
CISA also recommends that users of medical devices minimize the exposure of control systems to the internet as much as possible, using firewalls to isolate them from the wider network and using VPNs when remote access is needed.