The U.S. Cybersecurity and Infrastructure Security Company (CISA) has unveiled an Industrial Manage Programs (ICS) health care advisory warning of a critical flaw impacting Illumina health-related products.
The issues impression the Common Duplicate Support (UCS) software package in the Illumina MiSeqDx, NextSeq 550Dx, iScan, iSeq 100, MiniSeq, MiSeq, NextSeq 500, NextSeq 550, NextSeq 1000/2000, and NovaSeq 6000 DNA sequencing devices.
The most significant of the flaws, CVE-2023-1968 (CVSS rating: 10.), permits distant attackers to bind to exposed IP addresses, thus producing it possible to eavesdrop on network targeted visitors and remotely transmit arbitrary commands.
The second issue relates to a situation of privilege misconfiguration (CVE-2023-1966, CVSS score: 7.4) that could help a remote unauthenticated malicious actor to upload and execute code with elevated permissions.
“Successful exploitation of these vulnerabilities could make it possible for an attacker to choose any action at the running process degree,” CISA mentioned. “A threat actor could impact options, configurations, software, or data on the affected product or service a risk actor could interact by way of the influenced products through a linked network.”
The Meals and Drug Administration (Fda) explained an unauthorized person could weaponize the shortcoming to effects “genomic info benefits in the devices meant for medical prognosis, which includes producing the instruments to give no benefits, incorrect effects, altered benefits, or a opportunity information breach.”
There is no evidence that the two vulnerabilities have been exploited in the wild. People are proposed to use the fixes produced on April 5, 2023, to mitigate possible threats.
Future WEBINARLearn to Prevent Ransomware with Real-Time Protection
Join our webinar and understand how to quit ransomware assaults in their tracks with serious-time MFA and provider account defense.
Conserve My Seat!
This is not the 1st time extreme flaws have come to gentle in Illumina’s DNA Sequencing Equipment. In June 2022, the corporation disclosed a number of related vulnerabilities that could have been abused to seize management of affected methods.
The disclosure arrives just about a month just after the Fda issued new steering that will need medical system makers to adhere to a set of cybersecurity necessities when submitting an application for a new products.
This contains a plan to keep track of, establish, and address “postmarket” cybersecurity vulnerabilities and exploits in just a realistic time interval, and structure and maintain processes to make sure the security of such equipment by means of standard and out-of-band patches.
Located this write-up appealing? Stick to us on Twitter and LinkedIn to read through additional exclusive articles we publish.
Some parts of this article are sourced from:
thehackernews.com