Five vulnerabilities were discovered in the Illumina Local Run Manager (LRM), which is utilized by Illumina Researcher Use Only (ROU) instruments and Illumina In Vitro Diagnostic (IVD) devices. The impacted instruments are employed for clinical diagnostic DNA sequencing and screening for different genetic disorders, and for research purposes. Four vulnerabilities are critical. Three had been given the highest CVSS severity rating of 10.
The vulnerabilities impact the devices and instruments listed below:
For the Illumina IVD Devices
- MiSeq Dx: LRM Versions 1.3 to 3.1
- NextSeq 550Dx: LRM Versions 1.3 to 3.1
For the Illumina ROU Devices
- MiniSeq Instrument: LRM Versions 1.3 to 3.1
- iSeq 100 Instrument: LRM Versions 1.3 to 3.1
- MiSeq Instrument: LRM Versions 1.3 to 3.1
- NextSeq 500 Instrument: LRM Versions 1.3 to 3.1
- NextSeq 550 Instrument: LRM Versions 1.3 to 3.1
A threat actor can take advantage of the vulnerabilities remotely, have control of the devices, and execute any action at the OS level, for example, changing the settings, configurations, software programs, or information on the device. He can also manipulate the vulnerabilities to control the linked network by means of the impacted product.
This is the list of vulnerabilities:
- CVE-2022-1517 is a remote code execution vulnerability caused by the LRM using elevated privileges that will enable a malicious actor to upload and implement code at the OS level. The vulnerability was given a critical CVSS v3 severity rating of 10.
- CVE-2022-1518 is a directory traversal vulnerability that enables a malicious actor to upload beyond the designed directory framework. This critical vulnerability was given a CVSS v3 severity rating of 10.
- CVE-2022-1519 is a vulnerability due to the inability to limit uploads of unsafe file types. A malicious actor can upload whatever file type, including executable code that permits a remote code exploit. This critical vulnerability has been given a CVSS v3 severity score of 10.
- CVE-2022-1521 is a vulnerability due to insufficient authentication or authorization in the standard settings, enabling a malicious actor to input, replay, change, and/or intercept sensitive information. This critical vulnerability has been given a CVSS y3 severity rating of 9.1.
- CVE-2022-1524 is a vulnerability due to a lack of TLS encryption with regard to the sending of sensitive data, inputting data – which includes credentials – vulnerable to interception in case of a man-in-the-middle attack. The high severity vulnerability has been given a CVSS v3 severity rating of 7.4.
Pentest, Ltd reported the vulnerabilities to Illumina. Illumina has created a software patch to keep the vulnerabilities from remote exploitation as a temporary fix until a permanent option is created for present and future devices.
The Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Food and Drug Administration (FDA) have released security notifications recommending quick action to be undertaken to deal with the vulnerabilities.
Download the patch for Internet-connected instruments on this page. In case the instruments aren’t linked to the Internet, users must get in touch with Illumina Tech Support.