As a reminder, BIO-ISAC will facilitate the ethical submission of your findings, please view our disclosure process for more information.
Active! Critical Vulnerability in Illumina software (LRM) - CVSS 10/10 - Fix ASAP
(Includes hashes for patch, as verified with Illumina by BIO-ISAC)
BIO-ISAC has followed up on this vulnerability and has been able to positively confirm the hashes (file identity signature) for the patch that Illumina created for these critical vulnerabilities. Many of you asked for confirmation and BIO-ISAC engaged with Illumina to ensure that you are not installing a maliciously modified or patch that an opportunist attacker may have taken advantage of given that Illumina had not publicly confirmed the hashes for the correct patch - information below.
Patch File Name: LocalRunManagerSecurityPatch.msi
For those of you who are not yet members of the BIO-ISAC, please consider joining the organization - it helps us do this vital work of engagement and vulnerability disclosure/follow through. Membership in the org also allows us to create programs like our emergency threat hunting service with our founding member John Hopkins Advanced Physics Laboratory (JHU APL). More about that program, including how to become involved for your organization, is detailed here: https://www.wired.com/story/biotech-security-threats/ and https://www.isac.bio/post/bio-isac-partners-to-provide-free-emergency-threat-hunting-service-to-bioeconomy-companies.
Thank you again to everyone involved.