Security Experts:

Connect with us

Hi, what are you looking for?



Critical Vulnerabilities Found in Popular DNA Sequencing Software

dnaLIMS DNA Sequencing Software Vulnerabilities

Multiple Vulnerabilities in dnaLIMS Disclosed After Vendor Failed to Engage with Security Researchers

dnaLIMS DNA Sequencing Software Vulnerabilities

Multiple Vulnerabilities in dnaLIMS Disclosed After Vendor Failed to Engage with Security Researchers

Multiple vulnerabilities exist in dnaLIMS, a web based laboratory information management system that provides scientists and researches with tools for processing and managing DNA sequencing requests. dnaLIMS, developed and sold by dnaTools, is used by academia, business and government; and is found in many US universities. The vulnerabilities are described as critical.

They were discovered in Q4 2016 by boutique security firm Shorebreak Security, and were reported to the vendor on Nov. 6. Shorebreak had been commissioned by a hospital user of dnaLIMS to perform a blackbox penetration test of the product. Users of dnaLIMS should note that at the time of writing this, the vulnerabilities have not been patched and are publicly known. For now, users should restrict access to authorized hosts only and make sure that the product cannot be accessed from the public internet; although in university environments that will still leave potential access to many thousands of students and academic researchers.

Shorebreak attempted to follow ‘responsible disclosure’ guidelines and reported seven serious vulnerabilities privately to the vendor. After four months of trying to engage with the vendor, it publicly disclosed the vulnerabilities in an advisory published this week. “Researchers cannot keep quiet about vulnerabilities indefinitely,” Shorebreak CEO Mark Wolfgang told SecurityWeek. “If we can find these problems, so can hackers — and dnaLIMS users need to be aware of the issues.”

The vulnerabilities include an improperly protected web shell, unauthenticated directory traversal, insecure password storage, session hijacking, multiple cross-site scripting, and improperly protected content.

“An unauthenticated attacker,” warns the advisory, “has the ability to execute system commands in the context of the web server process, hijack active user sessions, retrieve system files (including the plaintext password file), and inject untrusted html or JavaScript into the dnaLIMS application. An attacker could use these vulnerabilities together in order to gain control of the application as well as the operating system hosting the dnaLIMS software. If this software is being hosted publicly or in a DMZ this could act as a pivot point to launch further attacks or move laterally into trusted network(s).”

Wolfgang described his frustrations in trying to engage with the vendor. When he asked dnaTools for a PGP key to deliver the details securely, he was told to print them out and send hard copy through the post. “I got the feeling,” Wolfgang told SecurityWeek, “they thought or hoped we wouldn’t bother.” But he did. He did so on Nov. 16, 2016, using USPS Certified Mail. But it wasn’t until Dec. 8 that dnaTools acknowledged receipt and suggested that users place the application behind a firewall.

When he asked the vendor if it had a plan to address the vulnerabilities, he received the reply, “Yes, we have a plan. Please gather a DNA sequence, PO Number, or Fund Number and go to your local grocery store and see what it will buy you.” The vendor clearly believes that the vulnerabilities cannot lead to meaningful data loss.

SecurityWeek emailed dnaTools requesting its point of view, but received no reply.

Earlier this week, Zenofex of exploiteers disclosed a series of vulnerabilities in Western Digital’s My Cloud range of storage devices. Zenofex went straight to full public disclosure because, he told SecurityWeek, he had no confidence “in regards to [the] manufacturer’s ability to properly triage and fix vulnerabilities in their code.”

With dnaTools, Shorebreak Security attempted to follow responsible disclosure guidelines — indeed, it exceeded those guidelines by giving the vendor four months to fix the product. But in the end, the result was the same in both cases: full public disclosure with no immediate fix from the vendor.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet