The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Food and Drug Administration (FDA) have issued an advisory about critical security vulnerabilities in Illumina's next-generation sequencing (NGS) software.
Three of the flaws are rated 10 out of 10 for severity on the Common Vulnerability Scoring System (CVSS), with two others having severity ratings of 9.1 and 7.4.
The issues impact software in medical devices used for "clinical diagnostic use in sequencing a person's DNA or testing for various genetic conditions, or for research use only," according to the FDA.
"Successful exploitation of these vulnerabilities may allow an unauthenticated malicious actor to take control of the affected product remotely and take any action at the operating system level," CISA said in an alert.
"An attacker could impact settings, configurations, software, or data on the affected product and interact through the affected product with the connected network."
Affected devices and instruments include NextSeq 550Dx, MiSeq Dx, NextSeq 500, NextSeq 550, MiSeq, iSeq 100, and MiniSeq using Local Run Manager (LRM) software versions 1.3 to 3.1.
The list of flaws is as follows -
- CVE-2022-1517 (CVSS score: 10.0) - A remote code execution vulnerability at the operating system level that could allow an attacker to tamper with settings and access sensitive data or APIs.
- CVE-2022-1518 (CVSS score: 10.0) - A directory traversal vulnerability that could allow an attacker to upload malicious files to arbitrary locations.
- CVE-2022-1519 (CVSS score: 10.0) - An issue with the unrestricted upload of any file type, allowing an attacker to achieve arbitrary code execution.
- CVE-2022-1521 (CVSS score: 9.1) - A lack of authentication in LRM by default, enabling an attacker to inject, modify, or access sensitive data.
- CVE-2022-1524 (CVSS score: 7.4) - A lack of TLS encryption for LRM versions 2.4 and lower that could be abused by an attacker to stage a man-in-the-middle (MitM) attack and access credentials.
In addition to permitting remote control over the instruments, the flaws could be weaponized to compromise patients' clinical tests, resulting in incorrect or altered results during diagnosis.
While there is no evidence that the flaws are being exploited in the wild, it's recommended that customers apply the software patch released by Illumina last month to mitigate any potential risk.