The U.S. Cybersecurity and Infrastructure Safety Company (CISA) and Meals and Drug Administration (FDA) have issued an advisory about vital safety vulnerabilities in Illumina’s next-generation sequencing (NGS) software program.
Three of the issues are rated 10 out of 10 for severity on the Frequent Vulnerability Scoring System (CVSS), with two others having severity rankings of 9.1 and seven.4.
The problems affect software program in medical units used for “scientific diagnostic use in sequencing an individual’s DNA or testing for numerous genetic circumstances, or for analysis use solely,” in line with the FDA.
“Profitable exploitation of those vulnerabilities could enable an unauthenticated malicious actor to take management of the affected product remotely and take any motion on the working system stage,” CISA stated in an alert.
“An attacker might affect settings, configurations, software program, or information on the affected product and work together by means of the affected product with the related community.”
Affected units and devices embody NextSeq 550Dx, MiSeq Dx, NextSeq 500, NextSeq 550, MiSeq, iSeq 100, and MiniSeq utilizing Native Run Supervisor (LRM) software program variations 1.3 to three.1.
The record of flaws is as follows –
- CVE-2022-1517 (CVSS rating: 10.0) – A distant code execution vulnerability on the working system stage that might enable an attacker to tamper with settings and entry delicate information or APIs.
- CVE-2022-1518 (CVSS rating: 10.0) – A listing traversal vulnerability that might enable an attacker to add malicious recordsdata to arbitrary areas.
- CVE-2022-1519 (CVSS rating: 10.0) – A difficulty with the unrestricted add of any file kind, permitting an attacker to realize arbitrary code execution.
- CVE-2022-1521 (CVSS rating: 9.1) – An absence of authentication in LRM by default, enabling an attacker to inject, modify, or entry delicate information.
- CVE-2022-1524 (CVSS rating: 7.4) – An absence of TLS encryption for LRM variations 2.4 and decrease that might be abused by an attacker to stage a man-in-the-middle (MitM) assault and entry credentials.
Along with allowing distant management over the devices, the issues might be weaponized to compromise sufferers’ scientific checks, leading to incorrect or altered outcomes throughout analysis.
Whereas there is no such thing as a proof that the issues are being exploited within the wild, it is beneficial that clients apply the software program patch launched by Illumina final month to mitigate any potential threat.