The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an Industrial Control Systems (ICS) Medical Advisory Alert regarding a critical flaw affecting Illumina medical devices.
This issue affects the Universal Copy Service (UCS) software on the Illumina MiSeqDx, NextSeq 550Dx, iScan, iSeq 100, MiniSeq, MiSeq, NextSeq 500, NextSeq 550, NextSeq 1000/2000, and NovaSeq 6000 DNA sequencers.
The most severe vulnerability, CVE-2023-1968 (CVSS score: 10.0), allows remote attackers to bind to public IP addresses, eavesdrop on network traffic, and remotely execute arbitrary commands. Allows you to send with
The second issue is related to a case of permission misconfiguration (CVE-2023-1966, CVSS score: 7.4), where an unauthenticated remote malicious actor could upload and update code with elevated privileges. It might work.
“Successfully exploiting these vulnerabilities could allow an attacker to take actions at the operating system level.” CISA Said“The threat actor may affect the settings, configuration, software, or data of the affected product. The threat actor may interact through the affected product through a connected network.” there is.”
Food and Drug Administration (FDA) Said Unauthorized users are prohibited from using โgenomic data to affect equipment intended for clinical diagnostic purposes, including the inability of the equipment to provide results, inaccurate results, altered results, or potential data Including causing infringement.”
There is no evidence that the two vulnerabilities were actually exploited.the user is apply the fix Released April 5, 2023 to mitigate potential threats.
Learn how to stop ransomware with real-time protection
Join our webinar to learn how real-time MFA and service account protection can stop ransomware attacks.
This isn’t the first time that Illumina’s DNA sequencing devices have been found to have serious flaws. In June 2022, the company disclosed multiple similar vulnerabilities that may have been exploited to take control of affected systems.
This disclosure comes almost a month after the FDA. issued New guidance requiring medical device manufacturers to adhere to a set of cybersecurity requirements when submitting new product applications.
This includes a plan to monitor, identify and address โpost-marketโ cybersecurity vulnerabilities and exploits within a reasonable period of time, and to ensure the security of such devices through regular and out-of-band patching. includes a plan to design and maintain the process of
