A new set of supply chain vulnerabilities have been discovered affecting PTC’s Axeda agent, affecting various vendors in a range of industries, including healthcare and financial. Axeda offers a scalable foundation to build and deploy enterprise-grade applications for connected products, both wired and wireless, according to the company’s own description.
Access:7 Vulnerabilities in PTC’s Axeda Agent (CVE-2022-25247)
The seven vulnerabilities have been collectively called Access:7, three of which have been rated critical by CISA, as they enable remote code execution and full device takeover. They could also allow hackers to access sensitive data or change the configurations of exposed devices.
Who discovered the Access:7 flaws? Forescout’s Vedere Labs, in partnership with CyberMDX.
What is Axeda? The solution is designed for device manufacturers to remotely access and manage connected devices. According to the Forescout’s write-up, “the affected agent is most popular in healthcare but is also present in other industries, such as financial services and manufacturing.”
The list of potential targets include more than 150 devices that belong to at least a hundred vendors. This makes the vulnerabilities’ impact quite significant. Moreover, some of the affected devices are medical imaging and laboratory devices.
Here is the list of the seven vulnerabilities and their impact and description:
- CVE-2022-25249 (Information Disclosure vulnerability, rated 7.5): The Axeda xGate.exe agent allows for unrestricted file system read access via a directory traversal on its web server.
- CVE-2022-25250 (Denial-of-Service Vulnerability, rated 7.5): The Axeda xGate.exe agent can be shut down remotely by an unauthenticated attacker via an undocumented command.
- CVE-2022-25251 (Remote Code Execution, rated 9.4): The Axeda xGate.exe agent supports a set of unauthenticated commands to retrieve information about a device and modify the agent’s configuration.
- CVE-2022-25246 (Remote Code Execution, rated 9.8): The AxedaDesktopServer.exe service uses hard-coded credentials to enable full remote control of a device.
- CVE-2022-25248 (information Disclosure, rated 5.3): The ERemoteServer.exe service exposes a live event text log to unauthenticated attackers.
- CVE-2022-25247 (Remote Code Execution, rated 9.8): The ERemoteServer.exe service allows for full file-system access and remote code execution.
- CVE-2022-25252 (Denial of Service, rated 7.5): All Axeda services using xBase39.dll can be crashed due to a buffer overflow when processing requests.
A list of affected devices and vendors is also available, including names such as AT&T, Abbott, Alcon, ARM, Bayer, Brainlab, Broadcom, Dell, Eurotech, Hitachhttps://sensorstechforum.com/cve-2019-10959-agw-medical/, HP, Medtronic, Philips, and Qualcomm.
A technical report is also available, including recommendations and mitigations for affected parties.
Last year, security researchers Dan Petro and Allan Cecil from Bishop Fox Labs shared their findings regarding an RNG vulnerability in the foundation of IoT (Internet of Things) security. The critical flaw resided in hardware number generators (RNGs), affecting 35 billion devices worldwide.