US CISA warns of critical vulnerabilities affecting the security of Illumina devices. The vulnerabilities exist in the Illumina Universal Copy Service software, allowing remote code execution attacks.
Illumina Universal Copy Service Vulnerabilities
According to a recent CISA alert, at least two vulnerabilities were discovered in Illumina DNA sequencing devices.
Illumina is a US-based biotechnology firm that develops and markets equipment for genetic analysis and related biological and medical functions. The firm develops key devices for gene sequencing, gene expression, genotyping, and proteomics. The Universal Copy Service is a key software for DNA sequencing in health and research facilities.
As specified in CISA’s advisory, the first vulnerability is a critical severity (CVSS 10.0) remote code execution flaw (CVE-2023-1968) in the Universal Copy Service v2.x. The flaw existed due to binding to an unrestricted IP address. Exploiting the flaw could allow an attacker to listen on all IP addresses.
The second issue (CVE-2023-1966) is a high-severity privilege escalation vulnerability (CVSS 7.4) in the Universal Copy Service v1.x and v2.x. Exploiting the flaw could allow unnecessary privileges to an unauthenticated remote attacker to change device settings and meddle with sensitive information.
These UCS vulnerabilities subsequently affect a range of medical devices running the software. The vulnerable equipment include:
- iScan Control Software: v4.0.0 and v4.0.5
- iSeq 100: All versions
- MiniSeq Control Software: v2.0 and newer
- MiSeqDx Operating Software: v4.0.1 and newer
- MiSeq Control Software: v4.0 (RUO Mode)
- NextSeq 500/550 Control Software: v4.0
- NextSeq 550Dx Operating Software: v1.0.0 to 1.3.1 and v1.3.3 and newer
- NextSeq 550Dx Control Software: 0 (RUO Mode)
- NextSeq 1000/2000 Control Software: v1.4.1 and prior
- NovaSeq Control Software: v1.8
- NovaSeq 6000 Control Software: v1.7 and prior
Patches Rolled Out
Regarding the vulnerabilities, Illumina has shared a detailed security bulletin highlighting the flaws and the respective patches. According to FDA, the vendor has also notified all affected customers to check and update their vulnerable systems.
Besides, CISA has also shared some mitigations for the issues, which include limiting network exposure for control systems and devices, protecting such systems behind firewalls, and ensuring secure remote access via tools like VPNs.
Let us know your thoughts in the comments.