Critical "Access:7" Supply Chain Vulnerabilities Impact ATMs, Medical and IoT Devices

As many as seven security vulnerabilities have been disclosed in PTC's Axeda software that could be weaponized to gain unauthorized access to medical and IoT devices.

Collectively called "Access:7," the weaknesses – three of which are rated Critical in severity – potentially affect more than 150 device models spanning over 100 different manufacturers, posing a significant supply chain risk.

PTC's Axeda solution includes a cloud platform that allows device manufacturers to establish connectivity to remotely monitor, manage and service a wide range of connected machines, sensors, and devices via what's called the agent, which is installed by the OEMs before the devices are sold to customers.

"Access:7 could enable hackers to remotely execute malicious code, access sensitive data, or alter configuration on medical and IoT devices running PTC's Axeda remote code and management agent," researchers from Forescout and CyberMDX said in a joint report published today.

Of the 100 impacted device vendors, 55% belong to the healthcare sector, followed by IoT (24%), IT (8%), financial services (5%), and manufacturing (4%) industries. No less than 54% of the customers with devices running Axeda have been identified in the healthcare sector.

Besides medical imaging and laboratory machines, vulnerable devices include everything from ATMs, vending machines, cash management systems, and label printers to barcode scanning systems, SCADA systems, asset monitoring and tracking solutions, IoT gateways, and industrial cutters.

The list of flaws is below –

• CVE-2022-25246 (CVSS score: 9.8) – The use of hard-coded credentials in the AxedaDesktopServer.exe service that could enable remote takeover of a device
• CVE-2022-25247 (CVSS score: 9.8) – A flaw in ERemoteServer.exe that could be leveraged to send specially crafted commands to obtain Remote code execution (RCE) and full file system access
• CVE-2022-25251 (CVSS score: 9.8) – Missing authentication in the Axeda xGate.exe agent that could be used to modify the agent's configuration
• CVE-2022-25249 (CVSS score: 7.5) – A directory traversal flaw in the Axeda xGate.exe agent which could allow a remote unauthenticated attacker to obtain file system read access on the web server
• CVE-2022-25250 (CVSS score: 7.5) – A denial-of-service (DoS) flaw in the Axeda xGate.exe agent by injecting an undocumented command
• CVE-2022-25252 (CVSS score: 7.5) – A buffer overflow vulnerability in the Axeda xBase39.dll component that could result in a denial-of-service (DoS)
• CVE-2022-25248 (CVSS score: 5.3) – An information disclosure flaw in the ERemoteServer.exe service that exposes the live event text log to unauthenticated parties

Successful exploitation of the flaws could equip attackers with capabilities to remotely execute malicious code to take full control of devices, access sensitive data, modify configurations, and shut down specific services in the impacted devices.

The flaws, which affect all versions of the Axeda Agent prior to 6.9.3, were reported to PTC on August 10, 2021 as part of a coordinated disclosure process that involved the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Health Information Sharing and Analysis Center (H-ISAC), and the Food and Drug Administration (FDA).

To mitigate the flaws and prevent possible exploitation, users are recommended to upgrade to Axeda agent version 6.9.1 build 1046, 6.9.2 build 1049, or 6.9.3 build 1051.

This is not the first time critical security vulnerabilities primarily targeting healthcare systems have come to light. In December 2020, CyberMDX disclosed "MDhex-Ray," a severe flaw in GE Healthcare's CT, X-Ray, and MRI imaging products that could result in the exposure of protected health information.

"Access:7 affects a solution sold to device manufacturers that did not develop their in-house remote servicing system," the researchers said. "This makes it a supply chain vulnerability and hence it affects many downstream manufacturers and devices."