Critical Vulnerabilities in Illumina Devices
Share this:
A critical vulnerability was discovered in Illumina’s genome sequencing tool that allows an adversary to remotely upload and execution code on targeted systems.
The US CISA and the Food and Drug Administration (FDA) both issued alerts urging network admin to apply available patches. The bug was found in Illumina’s Universal Copy Service function. The bug tracked as CVE-2023-1968 with a CVSS v3 score of 10 can be exploited remotely and is easy to trigger with a low attack complexity.
Successful exploitation of these vulnerabilities could allow an attacker to take any action at the operating system level. A threat actor could impact settings, configurations, software, or data on the affected product; a threat actor could interact through the affected product via a connected network.
The critical flaws are tied to the universal copy service function v2.x of the platform, which copies the sequencing output files from the device’s run folder to the output folder. This could allow an unauthenticated attacker to use the UCS to listen on all IP addresses, including those that accept remote communications.
The second vulnerability, tracked as CVE-2023-1966, carries a CVSS v3 score of 7.4, resides in instruments leveraging both v1.x and v2.x platforms. The flaw could enable an unauthenticated threat actor to remotely upload and execute code at the operating system level, allow them to change settings, configurations, and software, or even access sensitive information.
The FDA warns an attacker would not need to gain credentials to remotely deploy malicious activities, including the possible alteration of data contained on both the instrument and customers’ networks. An exploit could also impact the result of genetic data contained on the instruments, leading “the instruments to provide no results, incorrect results, altered results, or a potential data breach.”
Illumina reported the vulnerability to CISA and created guidance for system users based on specific configurations to mitigate the impact. It has developed a software patch to protect against exploit.
Illumina sent notices about the vulnerabilities to users, urging them to look out for signs of exploit on the impacted devices.
There have been no public exploits reported targeting these flaws. But given the severity of the vulnerability will be easily exploitable, CISA recommends network defenders take defensive measures to minimize the risk of exploit, including minimizing the exposure for all control systems and devices and preventing access from the internet.
