Vulnerability in Illumina Medical Devices

|

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a medical advisory warning of severe vulnerabilities impacting Illumina Medical Devices. The susceptible Illumina DNA sequencing instruments are used for clinical diagnosis that vital medical treatments rely on.

The first vulnerability, CVE-2023-1968, affects the Universal Copy Service (UCS) software utilized in Illumina’s Internet of Medical Devices (IoMD). This exploit allows remote attackers to bind to exposed IP addresses, which enables eavesdropping on network traffic and remotely transmitting arbitrary commands.

The second vulnerability, CVE-2023-1966, allows remote unauthenticated bad actors to upload and execute code with elevated permissions.

Both vulnerabilities enable attackers to take any action at the operating system level, which includes interacting with the affected product via the network connection and also altering configurations, software, or data.

The Food and Drug Administration (FDA) has also warned that unauthorized users could potentially weaponize these vulnerabilities to impact the genomic data results in IoMDs intended for clinical diagnosis and treatments.

Illumina’s DNA sequencing instruments are used in various medical settings and to analyze genetic material in clinical and research settings. These instruments are essential for identifying genetic abnormalities and detecting certain diseases like cancer.

More technical details about the mechanism of attack are provided below.

Acreto Solution

Acreto can effectively and quickly address both vulnerabilities for Illumina and other Internet of Medical Devices (IoMD) without impacting its FDA approval.

To address CVE-2023-1966 and CVE-2023-1968, an organization can utilize an Acreto Ecosystem to isolate access to only the users, devices, systems and applications that need to interoperate with the Illumina devices.

Each user and device is first identified and only authorized external or internal users and devices can gain access. Access can be further limited by using micro-segmentation, nano-segmentation and isolated data flows. Controls can be implemented to limit communications to only the network protocols and ports, as well as application protocols and programs required by each user, device or application.

Then all communications are scrubbed for threats to and from each member of the Ecosystem.

Ecosystems

Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.

Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.

Ecosystems can be configured as:

Open → With inbound or outbound access from or to the Internet or a third-party

Closed → Fully contained with access limited to Ecosystem members

Hybrid → Where some systems have inbound or outbound Internet access while others operate fully contained.

Eliminate the Internet Attack Surface

Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.

Eliminate the Internal Attack Surface

Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with:

  • Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.

  • Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.

Isolated Data Flows

Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.

Encrypted Secure Scan

Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.

Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.

Controls

Access Control

Identity with MFA

  • User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.

  • Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.

Network Protocol / Port

Control the network protocol (TCP, UDP, ICMP) and Port (1-65535) any Ecosystem member can use to communicate with any other Ecosystem member or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.

Application Protocol

Control the application protocol (HTTP, DNS, SMTP, SMB, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.

Application Program

Control the application program (MS-Exchange, Oracle, Facebook, GMail, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.

Threat Prevention

After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:

  • Threat Signature: Identifies and mitigates known bad exploits, malware, botnets and ransomware.

  • Zero-Day Behavioral Analysis: Looks for behavioral indications of threats based on how system functions react to the payload, immediately and over time.

Simplicity

  • Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.

  • Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.

  • Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.

Mechanism of Attack

  • (CVE-2023-1968): Instruments with Illumina Universal Copy Service v2.x are vulnerable due to binding to an unrestricted IP address. An unauthenticated malicious actor could use UCS to listen on all IP addresses, including those capable of accepting remote communications.

  • (CVE-2023-1966): Instruments with Illumina Universal Copy Service v1.x and v2.x contain an unnecessary privileges vulnerability. An unauthenticated malicious actor could upload and execute code remotely at the operating system level, which could allow an attacker to change settings, configurations, software, or access sensitive data on the affected product.

For more details on CVEs, visit: CVE – CVE (mitre.org)

About Acreto

Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.

About The Author: Acreto Threat Labs

Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




    Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




      Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




        Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.