Critical Vulnerability Identified in Burrow-Wheeler Aligner Genomics Mapping Software

Researchers at Sandia National Laboratories have discovered a vulnerability in open source software used by genomic researchers. If exploited, an attacker could gain access to and alter sensitive genetic information.

DNA screening is a two-step process. First, a patient’s DNA is sequenced and their genome is mapped. Then, the patient’s genetic information is compared with a standardized human genome. Any differences between the two are assessed to determine whether genetic differences are due to diseases. A software tool is used to make the comparison.

Sandia researchers discovered a stack-based buffer overflow vulnerability – CVE-2019-10269 – in the Burrow-Wheeler Aligner (BWA) program used by many researchers to perform DNA-based medical diagnostics. The vulnerability is present at the point where BWA imports the standardized human genome from government servers. Patient information is transmitted via an insecure channel and could be intercepted in a man-in-the-middle attack.

An attacker could intercept the standardized human genome, combine it with malware, and then transmit both to the BWA user’s device. The malware could alter the information in the patient’s DNA analysis during genome mapping and, as a result, the final DNA analysis could be corrupted.

An attacker could alter DNA mapping data to make it appear that a patient does not have a disease, which would result in a delay in the patient receiving treatment. The DNA analysis could also be altered to indicate a patient has a disease, which would lead physicians to prescribe unnecessary medications which could potentially be harmful to the patient.

After discovering the vulnerability, Sandia notified the software developer and the U.S. Computer Emergency Readiness Team (US-CERT). The software developer has now patched the vulnerability in the latest version of the software. No reports have been received to date to suggest the flaw has been exploited in real-world attacks.

The vulnerability requires a low level of skill to exploit and has been assigned a CVSS v3 base score of 9.8 out of 10 – Critical.

All users of the BWA program should update to the latest version of the software as soon as possible to prevent the flaw from being exploited. The researchers also suggest implementing a solution that prevents sequenced DNA data from being altered and to only ever send sensitive data over secure, encrypted channels.

The researchers have also urged security researchers to analyze genomics software for similar weaknesses. While the BWA vulnerability has been corrected, similar vulnerabilities may exist in other genomics mapping programs.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.