CISA Warns of Critical Vulnerability in Illumina Medical Devices
The Cybersecurity Agency and Infrastructure Protection (CISA) have issued a warning about a serious vulnerability present in Illumina medical devices that could potentially allow attackers to falsify the diagnoses of patients. The vulnerabilities have affected the Illumina Universal Copy Service (UCS) present in DNA sequencing devices such as Illumina Miseqdx, NEXTSEQ 550DX, ISEQ 100, Miniseq, Miseq, NextSeq 500, Nextseq 550, Nextseq 1000/2000 and Novaseq 6000.
The most concerning vulnerability, CVE-2023-1968 (CVSS: 10.0), could allow attackers to remotely listen to network traffic and transmit arbitrary commands by opening IP addresses. The second vulnerability, CVE-2023-1966 (CVSS: 7.4), is related to the improper setup of privileges and could enable unauthorized access to execute code with increased privileges.
Successful exploitation of the vulnerabilities could allow an attacker to perform any actions at the operating system level, including affecting configurations, software, or data of the vulnerable product. Additionally, an attacker could interact with the vulnerable product through a connected network.
The Food and Drug Administration (FDA) has stated that unauthorized cybercriminals can use such vulnerabilities to falsify genomic data for clinical diagnostics, including removing, replacing, or falsifying results, and even leaking data.
There is no evidence of these vulnerabilities being actively exploited, but users are strongly advised to apply the corrections issued on April 5th, 2023, to reduce potential threats. This is not the first time that Illumina DNA sequencing devices have been found to have vulnerabilities. In June 2022, several similar vulnerabilities were discovered that could be used to gain control of vulnerable systems, replace diagnoses or manipulate patient data.