Healthcare providers and laboratory personnel have been put on alert after two separate cybersecurity vulnerabilities were discovered in medical devices commonly used in clinical diagnostics and research.
On April 27, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory regarding two vulnerabilities in the Universal Copy Service (UCS) software used by Illumina, a leading genomics company based in the United States. The UCS software is used in several Illumina products, including iSeq, MiniSeq, MiSeq, NextSeq, and NovaSeq systems.
The first vulnerability (CVE-2023-1968) allows an attacker to bind to an unrestricted IP address, potentially enabling them to listen on all IP addresses that can accept remote communications. This vulnerability affects instruments with UCS v2.x and has a CVSS v3 base score of 10.0, indicating a critical vulnerability.
The second vulnerability (CVE-2023-1966) allows an attacker to execute code remotely at the operating system level, potentially enabling them to change settings, configurations, software, or access sensitive data on the affected product. This vulnerability affects instruments with UCS v1.x and v2.x and has a CVSS v3 base score of 7.4, indicating a high severity vulnerability.
According to the CISA advisory, there are no known public exploits that specifically target these vulnerabilities. However, CISA says:
"Successful exploitation of these vulnerabilities could allow an attacker to take any action at the operating system level. A threat actor could impact settings, configurations, software, or data on the affected product; a threat actor could interact through the affected product via a connected network."
Illumina has reportedly provided CISA with information about these vulnerabilities and recommends users of affected products follow the UCS Vulnerability Instructions Guide based on their specific system configuration to mitigate the vulnerabilities.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, including minimizing network exposure for all control system devices and systems, locating control system networks and remote devices behind firewalls and isolating them from business networks, and using secure methods for remote access, such as Virtual Private Networks (VPNs).
In addition to the CISA advisory, the U.S. Food and Drug Administration (FDA) also issued a letter to healthcare providers and clinical laboratory staff regarding these vulnerabilities. The FDA is urging users of Illumina's affected products to apply the recommended mitigations and to consider using an alternate system if necessary.
It is important for users of Illumina's affected products to take these vulnerabilities seriously and to follow the recommended mitigations to reduce the risk of exploitation.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
Follow SecureWorld News for more stories related to cybersecurity.