Serious supply chain threat posed to downstream medical devices in particular

Critical Axeda vulnerabilities pose takeover risk to hundreds of IoT devices

More than 150 internet of things (IoT) devices used for commercial applications could be at risk of malicious takeover due to critical vulnerabilities in connected device management platform Axeda.

Discovered by security researchers at Forescout’s Vedere Labs and CyberMDX, the trio of remote code execution (RCE) flaws could also allow attackers to access sensitive data or reconfigure affected devices.

A majority of devices affected by these and four other, lower severity bugs – collectively dubbed ‘Access:7’ – are used for medical applications.

Axeda, which is owned by Massachusetts-based industrial IoT software company PTC, has patched all seven flaws in Axeda Agent version 6.9.3. All previous versions are vulnerable.

Attack surface

More than half of the affected devices (54%), developed by more than 100 vendors, are deployed in the healthcare industry, and medical devices are most commonly used for imaging (36%) and lab (31%) applications, according to a Forescout blog post published yesterday (March 8).

Another 24% are IoT solutions.

Catch up with the latest IoT security news

Affected devices are also used for applications such as ATMs, vending machines, cash management systems, label printers, barcode scanning systems, SCADA systems, asset monitoring and tracking solutions, IoT gateways, and industrial cutters.

Forescout, which provides cybersecurity services for the ‘enterprise of things’, said it had identified more than 2,000 devices running Axeda on customer networks.

Bug breakdown

The two most severe RCE vulnerabilities, both notching CVSS scores of 9.8, relate to the use of hardcoded credentials by the AxedaDesktopServer.exe service (CVE-2022-25246) and a flaw in the ERemoteServer.exe service allowing for full file system access (CVE-2022-25247).

With a CVSS score of 9.4, the other critical bug arose because the Axeda xGate.exe agent permits unauthenticated commands that retrieve information about a device and modify the agent’s configuration (CVE-2022-25251).

A quartet of medium severity issues include denial of service (CVE-2022-25250) and information disclosure via directory traversal (CVE-2022-25249) flaws affecting the Axeda xGate.exe agent; a separate denial of service exploit that causes Axeda services using xBase39.dll to crash (CVE-2022-25252); and an information disclosure bug in the ERemoteServer.exe service (CVE-2022-25248)

‘Difficult to eradicate’

Device manufacturers using this software should provide their own updates to customers, while end users should patch vulnerable devices as soon as possible, advised Vedere Labs.

Vedere Labs has provided mitigation strategies for both device manufacturers and network operators in a technical report accompanying the blog post.

“We believe that the distribution of Axeda agents found across industry verticals is evidence that medical devices are being remotely serviced more often than other types of devices,” said Vedere Labs.

“This research also shows that several medical device vendors chose to adopt a third-party solution for servicing operations instead of developing this capability in-house.

“This research is further proof that vulnerabilities in supply chain components tend to become very widespread and are difficult to eradicate, something we had initially observed with Project Memoria.”

RELATED SureMDM bug chain enabled wholesale compromise of managed devices