Oxford Nanopore Technologies MinKNOW Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Oxford Nanopore Technologies' MinKNOW software, affecting versions through 24.11. The issue arises because the software creates a temporary file in a publicly accessible directory to store the local authentication token during startup. An unauthorized local user or process can exploit this by placing a file lock on the temporary token file, using the flock system call. This action disrupts the token generation process, preventing MinKNOW from creating a valid local token. Consequently, the software cannot execute commands on the sequencer, leading to a disruption of sequencing operations.

Impact

Exploitation of this vulnerability causes a denial-of-service condition, interrupting sequencing operations and processes.

Remediation

Users are advised to upgrade to MinKNOW versions later than 24.11. Those on version 24.06 should keep Remote Connect disabled unless strictly necessary and enable it only within trusted network environments. Additionally, installing and maintaining antivirus and malware scanning tools can help mitigate denial-of-service conditions from local exploitation or malware. Users running older versions of MinKNOW who cannot upgrade immediately should contact Oxford Nanopore Support for guidance on securing their configurations.