Frame-14

Privacy Ninja

        • DATA PROTECTION

        • Email Spoofing Prevention
        • Check if your organization email is vulnerable to hackers and put a stop to it. Receive your free test today!
        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • AntiHACK Phone
        • Boost your smartphone’s security with enterprise-level encryption, designed by digital forensics and counterintelligence experts, guaranteeing absolute privacy for you and up to 31 others, plus a guest user, through exclusive access.

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$3,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Secure your digital frontiers with our API penetration testing service, meticulously designed to identify and fortify vulnerabilities, ensuring robust protection against cyber threats.

        • Network Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Mobile Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Web Penetration Testing
        • Fortify your web presence with our specialized web penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats.

        • RAPID DIGITALISATION

        • OTHERS

Access:7 Vulnerabilities Impact Medical and IoT Devices

Access:7 Vulnerabilities Impact Medical and IoT Devices

A set of seven vulnerabilities collectively tracked as Access:7 have been found in PTC’s Axeda agent, a solution used for remote access and management of over 150 connected devices from more than 100 vendors.

Three of the security issues received a severity score of at least 9.4 (critical) and could be exploited for remote code execution on devices running a vulnerable version of the Axeda agent.

Developed by Parametric Technology Corporation (PTC), the Axeda platform through locally deployed agents provides telemetry data from IoT devices on the network and the option for remote service.

Axeda agents can run on a wide variety of connected systems, devices in the healthcare industry being more prevalent, which makes them attractive targets for supply-chain attacks.

Also Read: How To Secure Your WiFi Camera: 4 Points To Consider

Critical, remote code execution bugs

Security researchers at Forescout’s Vedere Labs and CyberMDX- a Forescout company since February 1st, found that all Axeda agent versions lower than 6.9.3 are vulnerable to a set of seven security flaws.

Dubbed Access:7, the impact of these issues ranges from information disclosure and denial-of-service (DoS) to remote code execution.

CVE-IDDescriptionImpactSeverity Score
CVE-2022-25249The Axeda xGate.exe agent allows for unrestricted file system read access via a directory traversal on its web serverinformation disclosure7.5
CVE-2022-25250The Axeda xGate.exe agent can be shutdown remotely by an unauthenticated attacker via an undocumented commanddenial-of service (DoS)7.5
CVE-2022-25251The Axeda xGate.exe agent supports a set of unauthenticated commands to retrieve information about a device and modify the agent’s configurationRCE9.4
CVE-2022-25246The AxedaDesktopServer.exe service uses hard-coded credentials to enable full remote control of a deviceRCE9.8
CVE-2022-25248The ERemoteServer.exe service exposes a live event text log to unauthenticated attackersinformation disclosure5.3
CVE-2022-25247The ERemoteServer.exe service allows for full file-system access and remote code executionRCE9.8
CVE-2022-25252All Axeda services using xBase39.dll can be crashed due to a buffer overflow when processing requestsdenial-of service (DoS)7.5

The Axeda Platform provides connected device manufacturers a development kit that lets them “generate a configured agent installation for a product line,” Forescout says.

This way, manufacturers get telemetry data, and devices can receive service remotely. One agent can represent one or more devices, depending on where it sits: if placed at a gateway, it can serve multiple products, or assets, behind the gateway.

Also Read: How Formidable is Singapore Cybersecurity Masterplan 2020?

Axeda components

It is worth noting that PTC phased out Axeda in favor of a different, more flexible platform called ThingWorx. Nevertheless, Axeda is still in use by customers in various sectors.

Anonymous customer data that Forescout collects through its Device Cloud solution shows more than 2,000 unique devices running Axeda on their networks.

Prevalence of Axeda agent connected devices in healthcare
source: Forescout

Exploiting the flaws

In a report today, Forescout explains that in the case of medical devices, even the less severe Access:7 vulnerabilities can have a significant impact.

For instance, an attacker gaining read access by exploiting CVE-2022-25249 on an imaging or lab device – where Axeda agents are more present, as per Forescount data – could steal protected health information (PHI) or diagnostics about a patient and sell it on for a profit if it’s a high-value victim.

Similarly, exploiting a bug like CVE-2022-25250 a threat actor could shut down the Axeda agent on a device in a targeted attack, making remote service impossible. This can lead to the healthcare unit interrupting therapy or diagnosing a patient.

With a critical vulnerability like CVE-2022-25246 (hardcoded credentials for remote access), Forescout highlights that the password “for a VNC connection is the same across all models or model families for a vendor.”

The researchers underline that the VNC connection can also be used to modify medical information, which could have severe consequences on the patient (e.g. Mistreatment).

Alternatively, adversaries could leverage this advantage to plant malicious code that gives them persistence on the network for future attacks.

Lengthy disclosure process

Forescout’s Vedere Labs and CyberMDX discovered the Access:7 set of security vulnerabilities and both companies participated in the responsible disclosure.

This was a long process, as is the case with supply chain vulnerabilities that involve a large number of devices and vendors. In this case, 210 days passed from the initial report to the public disclosure.

PTC received a report from CyberMDX on August 10 and then requested proof-of-concept exploits to show that the vulnerabilities can be leveraged in realistic attacks.

In November 2021, PTC notified CISA for coordinated disclosure. In January 2022, PTC started to notify downstream vendors (active customers only).

To reduce risk to a minimum, Forescout created a list of devices currently using or having used Axeda from as many vendors as possible, even if they are inactive Axeda customers, and alerted them of the vulnerabilities.

Patches offer complete protection

Axeda has addressed all Access:7 vulnerabilities and device makers should roll out their fixes to customers since patching is the only way to completely mitigate the issues.

If installing the latest versions for the Axeda agent is not possible, Forescout provides the following mitigation advice:

  • Configure Axeda Agent and ADS Service to only listen on the localhost interface 127.0.0.1 and prevent exposing those ports to the network (KB here)
  • Provide a strong unique password in the AxedaDesktop.ini file for each unit
  • Never use ERemoteServer.exe in production and delete its executable file from production, remove the installation file, and remove any deployment utility installation and/or any other unnecessary executable files
  • If the host is using the Windows operating system, configure Localhost communications (127.0.0.1) between ERemoteServer.exe and Axeda Builder (KB here)
  • If the host is not running under Windows, you’ll have to run ERemoteServer.exe on a different machine; ensure that only trusted hosts can reach ports 3076, 3077 of the machine running ERemoteServer.Exe
  • Configure the Axeda agent for the authentication information required to log in to the Deployment Utility (KB here)

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us