Forescout’s Vedere Labs, in partnership with CyberMDX, have discovered a set of seven new vulnerabilities affecting PTC’s Axeda agent, which we are collectively calling Access:7. Three of the vulnerabilities were rated critical by CISA, as they could enable hackers to remotely execute malicious code and take full control of devices, access sensitive data or alter configurations in impacted devices.
The Axeda solution enables device manufacturers to remotely access and manage connected devices. The affected agent is most popular in healthcare but is also present in other industries, such as financial services and manufacturing. A detailed list of 150+ potentially affected devices from 100+ vendors highlights the significance of the vulnerabilities. The list contains several medical imaging and laboratory devices.
IoT devices use a wide variety of operating systems, hardware and software. Typically, IoT manufacturers do not allow customers to install software, including security agents, on their devices. In the case of Access:7, PTC depends on IoT manufacturers to install the Axeda agent before their IoT devices are sold to customers in what is typically called an original equipment manufacturer (OEM) approach.
The table below shows the newly discovered vulnerabilities. Rows are colored according to the CVSS score: yellow for medium or high and red for critical.
|CVE ID||Description||Potential Impact||CVSSv3.1 Score|
|CVE-2022-25249||The Axeda xGate.exe agent allows for unrestricted file system read access via a directory traversal on its web server.||Information disclosure||7.5|
|CVE-2022-25250||The Axeda xGate.exe agent can be shut down remotely by an unauthenticated attacker via an undocumented command.||DoS||7.5|
|CVE-2022-25251||The Axeda xGate.exe agent supports a set of unauthenticated commands to retrieve information about a device and modify the agent’s configuration.||RCE||9.4|
|CVE-2022-25246||The AxedaDesktopServer.exe service uses hard-coded credentials to enable full remote control of a device.||RCE||9.8|
|CVE-2022-25248||The ERemoteServer.exe service exposes a live event text log to unauthenticated attackers.||Information disclosure||5.3|
|CVE-2022-25247||The ERemoteServer.exe service allows for full file-system access and remote code execution.||RCE||9.8|
|CVE-2022-25252||All Axeda services using xBase39.dll can be crashed due to a buffer overflow when processing requests.||DoS||7.5|
All versions of the Axeda Agent below 6.9.3 are affected, and Axeda has released patches for all the vulnerabilities. More details about the vulnerabilities and their exploitation are available in our technical report.
Impact of Access:7 supply chain vulnerabilities on IoT devices
Forescout has populated a list of more than 100 vendors and 150 devices that use the Axeda solution. Using anonymized customer data in the Vedere Labs Global Cyber Intelligence Dashboard, we have seen more than 2,000 unique devices running Axeda on their networks. By examining these sources, we could learn about the potential impact of the vulnerabilities.
The figure below illustrates the distribution of vendors in our device lake that use Axeda. More than one-half of those (55%) belong to the healthcare industry, followed by almost one-quarter (24%) developing IoT solutions.
From a device deployment perspective, again we see that more than one-half (54%) of the customers with devices running Axeda are in the healthcare sector.
The figure below illustrates the distribution of medical device types running Axeda. The agent was found to be more popular in imaging (36%) and lab (31%) machines than in any other type.
Axeda was developed as a cloud platform for IoT devices; therefore, it is found in a variety of applications beyond healthcare. Vulnerable devices used in other industries include ATMs, vending machines, cash management systems, label printers, barcode scanning systems, SCADA systems, asset monitoring and tracking solutions, IoT gateways and machines such as industrial cutters.
Access:7 mitigation recommendations for network operators
Complete protection against Access:7 requires patching devices running the vulnerable versions of the Axeda components. PTC has released its official patches, and device manufacturers using this software should provide their own updates to customers.
In the technical report, we discuss mitigation strategies for device manufacturers. For network operators, we recommend the following:
- Discover and inventory devices running Axeda. A constantly update list of affected device models can be found here.
- Enforce segmentation controls and proper network hygiene to mitigate the risk from vulnerable devices. Restrict external communication paths and isolate or contain vulnerable devices in zones if they cannot be patched or until they can be patched. In particular, consider blocking one or more of the vulnerable ports listed below for use on any of the affected devices in your organization. The port numbers are listed with their default values; however, they may be configured differently by manufacturers.
CVE Port Numbers Description CVE-2022-25249 56120, 56130 Web server of main agent service CVE-2022-25250 3011 Main agent service shutdown signal CVE-2022-25251 3031 Main agent service configuration CVE-2022-25246 5920, 5820 VNC agent CVE-2022-25248 3077 Event log used in deployment configuration CVE-2022-25247 3076 Code execution and filesystem access used in deployment configuration
- Monitor progressive patches released by affected device manufacturers and devise a remediation plan for your vulnerable asset inventory, balancing business risk and business continuity requirements.
- Monitor all network traffic for malicious packets that try to exploit these vulnerabilities. Block known malicious traffic or at least alert network operators of its presence.
How Forescout can help
With the recent acquisition of CyberMDX, Forescout healthcare customers can use CyberMDX’s solution to identify vulnerable medical and IoT devices. The solution automatically detects the medical assets within your network and organizes them in an accessible inventory listing. Assets affected by Access:7 will appear in the Vulnerabilities Cyber Risks screen. Using the CyberMDX Control Center, customers can also track the number of affected devices and follow the progress of remediation.
The Forescout platform also protects against Access:7 vulnerabilities as follows:
eyeSight uses the Security Policy Templates (SPTs) module to identify and group vulnerable and potentially vulnerable devices. A new version of the SPT package, which can identify devices vulnerable to Access:7, can be downloaded here.
eyeInspect uses a new Access:7 Monitor script to identify vulnerable devices and detect exploitation attempts against them. The figure below shows the alert raised by eyeInspect when it detects an exploitation attempt against CVE-2022-25247.
Access:7 security advisories
Find up-to-date information about impacted vendors and devices on the following links:
- PTC advisory
- CyberMDX page
- ICS-CERT advisory (will be updated at 11am ET 3/8/22)