CISA warned of critical vulnerabilities in Illumina’s DNA sequencing devices


The US Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have issued an advisory on critical security vulnerabilities in Illumina’s next-generation sequencing (NGS) software.

Three of the errors have a score of 10 out of 10 for the severity of the Common Vulnerability Scoring System (CVSS), with two others with a severity rating of 9.1 and 7.4.

The issues affect software in medical devices used for “clinical diagnostic use in sequencing a person’s DNA or testing for various genetic disorders, or for research purposes only.” according to the FDA

“Successful exploitation of these vulnerabilities could allow an unauthenticated malicious actor to remotely take control of the affected product and take action at the operating system level,” CISA said into a warning.

“An attacker could affect settings, configurations, software or data on the affected product and communicate with the connected network through the affected product.”

Affected devices and instruments are NextSeq 550Dx, MiSeq Dx, NextSeq 500, NextSeq 550, MiSeq, iSeq 100 and MiniSeq using Local Run Manager (LRM) software versions 1.3 to 3.1.

The list of flaws is as follows –

CVE-2022-1517 (CVSS score: 10.0) – A remote code execution vulnerability at the operating system level that could allow an attacker to tamper with settings and access sensitive data or APIs. CVE-2022-1518 (CVSS Score: 10.0) – A directory criss-cross vulnerability that could allow an attacker to upload malicious files to arbitrary locations. CVE-2022-1519 (CVSS Score: 10.0) – An issue with the unrestricted upload of any file type that could allow an attacker to execute arbitrary code. CVE-2022-1521 (CVSS score: 9.1) – A default lack of authentication in LRM, allowing an attacker to inject, modify, or access sensitive data. CVE-2022-1524 (CVSS score: 7.4) – A lack of TLS encryption for LRM versions 2.4 and below that could be exploited by an attacker to create a man-in-the-middle (MitM)- attack and access credentials.

In addition to allowing remote control of the instruments, the flaws can be weaponized to compromise patients’ clinical testing, resulting in inaccurate or altered results during diagnosis.

While there is no evidence that the flaws are exploited in the wild, it is recommended that customers use the software patch released by Illumina last month to mitigate any potential risk.