Oxford Nanopore Technologies MinKNOW Authentication Token Vulnerability Allowing Unauthorized Remote Access

A vulnerability in Oxford Nanopore Technologies' MinKNOW software, in versions through 24.11, involves the improper storage of authentication tokens in a temporary file within the system's world-readable temporary directory. This exposure allows local users or applications to access the tokens. If a token is leaked and remote access is enabled, it can be used to establish unauthorized connections to the sequencer. This vulnerability could be exploited by malware with elevated privileges or by users who have intentionally enabled remote access.

Impact

Exploitation of this vulnerability could lead to unauthorized remote access on the sequencer, allowing attackers to disrupt sequencing operations, manipulate or exfiltrate data, and bypass authentication controls. Additionally, this vulnerability could be combined with remote access capabilities to generate a developer token from a remote device, granting persistent access to the sequencer and circumventing standard authentication mechanisms.

Remediation

Users are advised to upgrade to MinKNOW versions later than 24.11. For those on version 24.06 who cannot upgrade, it is recommended to keep Remote Connect disabled unless strictly necessary, and to install and maintain antivirus and malware scanning tools. Users running older versions of MinKNOW who cannot upgrade immediately should contact Oxford Nanopore Support for guidance on securing their configurations.