As a reminder, BIO-ISAC will facilitate the ethical submission of your findings, please view our disclosure process for more information.
Active! An ICS Medical Advisory regarding Illumina Universal Copy Service (UCS) regarding binding to an unrestricted IP address and execution with unnecessary privileges. Successful exploitation of these vulnerabilities could allow an attacker to take any action at the operating system level.
- CVE-2023-1968 has been assigned a CVSS v3 base score of 10/10
- CVE-2023-1966 has been assigned a CVSS v3 base score of 7.4/10
In response, FDA issued a notification letter to health providers detailing the extent of the vulnerability and sourcing key materials and checkpoints for practitioners.
If your organization is impacted as a result of this vulnerability and require assistance from BIO-ISAC, please email firstname.lastname@example.org. We will continue to update the community regarding this vulnerability.
Active! Critical Vulnerability in Illumina software (LRM) - CVSS 10/10 - Fix ASAP
(Includes hashes for patch, as verified with Illumina by BIO-ISAC)
BIO-ISAC has followed up on this vulnerability and has been able to positively confirm the hashes (file identity signature) for the patch that Illumina created for these critical vulnerabilities. Many of you asked for confirmation and BIO-ISAC engaged with Illumina to ensure that you are not installing a maliciously modified or patch that an opportunist attacker may have taken advantage of given that Illumina had not publicly confirmed the hashes for the correct patch - information below.
Patch File Name: LocalRunManagerSecurityPatch.msi
For those of you who are not yet members of the BIO-ISAC, please consider joining the organization - it helps us do this vital work of engagement and vulnerability disclosure/follow through. Membership in the org also allows us to create programs like our emergency threat hunting service with our founding member John Hopkins Advanced Physics Laboratory (JHU APL). More about that program, including how to become involved for your organization, is detailed here: https://www.wired.com/story/biotech-security-threats/ and https://www.isac.bio/post/bio-isac-partners-to-provide-free-emergency-threat-hunting-service-to-bioeconomy-companies.
Thank you again to everyone involved.