Some Sandia National Laboratories researchers discovered that the open software utilized by genomic researchers had a vulnerability. If an attacker exploits this vulnerability, he could access and modify sensitive genetic data.
There are two steps involved in DNA screening. The first step is the sequencing of a patient’s DNA and the mapping of their genome. The second step is the comparison of the patient’s genetic data with a standardized human genome using a software tool. The purpose of assessing any differences between the two is to find out if genetic differences are because of diseases.
The CVE-2019-10269 vulnerability discovered by Sandia researchers is a stack-based buffer overflow vulnerability. A lot of researchers use the Burrow-Wheeler Aligner (BWA) program for conducting medical diagnostics based on DNA. The vulnerability can be found when the BWA is importing from government servers the standardized human genome. Patient data is sent through an insecure channel and may be acquired in a man-in-the-middle attack.
The standardized human genome may be intercepted by an attacker and combined it with malware. Then, both the malware and genome are transmitted to the BWA user’s device. The installed malware could change the result of the patient’s DNA analysis at the time of genome mapping. Hence, the resulting DNA analysis may be inaccurate.
An attacker can change DNA mapping data so that a patient would appear to have no disease, and delay the receiving of treatment by the patient. The altered DNA analysis could also be made to show that a patient possesses a disease, and doctors may be led to give needless medications thus potentially harming the patient.
After the discovery of the vulnerability, Sandia informed the developer of the software and the U.S. Computer Emergency Readiness Team (US-CERT). A patch was developed by the software developer for the latest software version and so far, there is no report that show the exploitation of the vulnerability in real-world attacks.
This is a critical vulnerability and has a CVSS v3 base score of 9.8 out of 10. An attacker with low-level skill can exploit the vulnerability.
All BWA program users need to update their software to the latest version immediately to stop the future exploitation of the vulnerability. The researchers likewise advised developing a way to prevent the alteration of sequenced DNA data and to use secure, encrypted channels only when sending sensitive data.
The researchers also told security researchers to assess genomics software program for comparable flaws. Although the BWA vulnerability has been solved, identical vulnerabilities may be present in other genomics mapping software programs.