The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an Industrial Control Systems (ICS) Medical Advisory Alert regarding a critical flaw affecting Illumina medical devices.
This issue affects the Universal Copy Service (UCS) software on the Illumina MiSeqDx, NextSeq 550Dx, iScan, iSeq 100, MiniSeq, MiSeq, NextSeq 500, NextSeq 550, NextSeq 1000/2000, and NovaSeq 6000 DNA sequencers.
The most severe vulnerability, CVE-2023-1968 (CVSS score: 10.0), allows remote attackers to bind to public IP addresses, eavesdrop on network traffic, and remotely execute arbitrary commands. Allows you to send with
The second issue is related to a case of permission misconfiguration (CVE-2023-1966, CVSS score: 7.4), where an unauthenticated remote malicious actor could upload and update code with elevated privileges. it might work.
“Successfully exploiting these vulnerabilities could allow an attacker to take some action at the operating system level,” CISA said. “The threat actor may affect the settings, configuration, software, or data of the affected product. The threat actor may interact through the affected product through the connected network.” I have.”
The Food and Drug Administration (FDA) says that unauthorized users can weaponize this shortcoming and “genomic data can influence clinical diagnostic equipment.” .”
There is no evidence that the two vulnerabilities were actually exploited. We recommend that you apply the hotfix released on April 5, 2023 to mitigate potential threats.
Learn how to stop ransomware with real-time protection
Join our webinar to learn how real-time MFA and service account protection can stop ransomware attacks.
Save my seat!
This isn’t the first time that Illumina’s DNA sequencing devices have been found to have serious flaws. In June 2022, the company disclosed multiple similar vulnerabilities that may have been exploited to take control of affected systems.
The disclosure comes almost a month after the FDA issued new guidance requiring medical device manufacturers to comply with a set of cybersecurity requirements when submitting new product applications.
This includes a plan to monitor, identify and address “post-market” cybersecurity vulnerabilities and exploits within a reasonable period of time, and to ensure the security of such devices through regular and out-of-band patching. includes a plan to design and maintain the process of
