The Food and Drug Administration (FDA) and the US Cybersecurity and Infrastructure Security Agency (CISA) have issued an advisory concerning serious security vulnerabilities in Illumina’s next-generation sequencing (NGS) software.
The severity of three of the problems is rated 10 out of 10 on the Common Vulnerability Scoring System (CVSS), while the severity of two others is rated 9.1 and 7.4.
According to the FDA, the problems affect software in medical devices that are used for “clinical diagnostic usage in sequencing a person’s DNA or testing for various genetic disorders, or for research use only.”
“Successful exploitation of these vulnerabilities may allow an unauthenticated malicious actor to remotely take control of the compromised product and conduct any action at the operating system level,” according to CISA.
“An attacker could alter the affected product’s settings, configurations, software, or data, as well as interact with the linked network through the affected product.”
NextSeq 550Dx, MiSeq Dx, NextSeq 500, NextSeq 550, MiSeq, iSeq 100, and MiniSeq employing Local Run Manager (LRM) software versions 1.3 to 3.1 are affected devices and instruments.
The following is a list of flaws:
- CVE-2022-1517 (CVSS score: 10.0) – An operating system-level remote code execution vulnerability that could allow an attacker to tamper with settings and access sensitive data or APIs.
- CVE-2022-1518 (CVSS score: 10.0) – An attacker might use a directory traversal vulnerability to upload harmful files to any place.
- CVE-2022-1519 (CVSS score: 10.0) – An flaw with the ability to upload any file type without restriction, allowing an attacker to execute arbitrary code.
- CVE-2022-1521 (CVSS score: 9.1) – By default, LRM lacks authentication, allowing an attacker to inject, change, or access sensitive data.
- CVE-2022-1524 (CVSS score: 7.4) – For LRM versions 2.4 and lower, there is no TLS encryption, which might be exploited by an attacker to stage a man-in-the-middle (MitM) attack and gain access to credentials.
The weaknesses could be used to impair patients’ clinical tests, resulting in incorrect or altered results during diagnosis, in addition to allowing remote control of the instruments.
While there is no evidence that the issues are being exploited in the wild, customers should install the software patch published by Illumina last month to reduce the risk.
