AdminUniversal Copy Service, a software package used by medical labs around the world for DNA sequencing, contains two serious vulnerabilities that could allow cybercriminals to fully take over targeted endpoints and exfiltrate sensitive data.
A joint security advisory issued by the U.S. Cybersecurity Infrastructure Security Agency (CISA) and the FDA urged users to patch the software as soon as possible.
“An unauthenticated malicious actor could upload and remotely execute code at the operating system level, which could allow an attacker to change settings, configuration, software, or access sensitive data on the affected product,” the CISA alert reads.
Sensitive data
Developed by a California-based medical technology company called Illumina, Universal Copy Service is one of the most popular DNA sequencing tools in the world. Research organizations, academic institutions, biotech companies and pharmaceutical companies (opens in a new tab) in 140 countries are frequent users of this program, according to the publication.
“On April 5, 2023, Illumina sent notices to affected customers instructing them to check their medical instruments and devices for signs of potential exploitation of the vulnerability,” the FDA added.
According to the report, two vulnerabilities are tracked as CVE-2023-1968 and CVE-2023-1966. The first is a 10/10 “critical” vulnerability that allows cybercriminals to listen to all network traffic, consequently finding more vulnerable hosts on the network. Hackers can use it to send commands to software, adjust settings, and even access sensitive data, researchers say. The latter, on the other hand, is a “high” severity 7.4/10 vulnerability allowing UCS users to run commands with elevated privileges.
Since the vulnerabilities affect many Illumina products, there are different sets of mitigations depending on the software in question. Illumina recommends doing a variety of things, from updating system software to setting up UCS account credentials to closing certain firewall ports that may be abused.
A full list of sensitive products can be found on the website this link (opens in a new tab).
By: Beeping Computer (opens in a new tab)
