More than 150 Internet of Things (IoT) devices — including many that are used in the healthcare sector — from over 100 companies are at heightened risk of attack from a set of seven vulnerabilities in a third-party remote access component in the devices.
Three of the bugs are rated as critical because they enable attackers to remotely execute malicious code on vulnerable devices to take full control of them. The remaining vulnerabilities have moderate to high severity ratings and give attackers a way to steal data or to execute denial-of-service attacks.
The vulnerabilities are present in multiple versions of PTC Axeda agent and PTC Desktop Server — technologies that many IoT vendors incorporate in their devices to enable remote access and management. Researchers from Forescout's Vedere Labs and CyberMDX who discovered the vulnerabilities are tracking them collectively as "Access:7."
In a report summarizing their findings this week, the researchers described the buggy component as especially prevalent in Internet-connected devices used in the healthcare sector, such as medical imaging, lab, radiotherapy, and surgical technologies. Forescout said an anonymized scan of its customer networks uncovered some 2,000 unique devices with vulnerable versions of Axeda on them. Of that, 55% were deployed in healthcare organizations, 24% in organizations developing IoT products, 8% in IT, 5% in financial services environments, 4% in manufacturing, and 4% across other verticals.
Among the affected devices — besides healthcare-related technologies — are ATMs, SCADA systems, vending machines, cash management systems, IoT gateways, and asset monitoring technologies. All versions of the Axeda technology below 6.9.3 are affected and PTC has released patches for all the vulnerabilities, Forescout said.
Daniel dos Santos, head of security research at Forescout, says the vulnerabilities are proof that remote management tools present a danger not just in the IT world — as shown by attacks like the one on Kaseya last year — but also for IoT and Internet-connected medical technologies.
"So, it's important that organizations have an inventory of devices that are being remotely managed and understand how they are managed," he says. "Organizations should first identify the vulnerable devices in the network, then make sure they are not exposed to these vulnerabilities by segmenting their networks and limiting traffic on the vulnerable ports." They should then patch the devices, when possible, dos Santos says.
The set of seven vulnerabilities that Forescout and CyberMDX discovered include those stemming from the use of hard-coded credentials, missing authentication, improper limitation of a pathname, and improper check or handling of exceptions.
The three, critical remote code execution bugs that the vendors reported to PTC are CVE-2022-25251 in the Axeda xGate.exe agent, CVE-2022-25246 in AxedaDesktopServer.exe, and CVE-2022-25247 in ERemoteServer.exe service.
The vulnerabilities affect different components of the agent, Dos Santos says. This includes a configuration tool, which should not be present on production devices, a desktop server tool, a gateway component and a shared library. "So, it’s possible — and often the case — that not all vulnerabilities will be present on a device," he says.
The most common vulnerabilities will be the ones affecting the gateway and library. They are: CVE-2022-25249, CVE-2022-25250; CVE-2022-25251 and CVE-2022-25252, dos Santos says.
A US Cybersecurity and Infrastructure Agency (CISA) advisory described the Access:7 vulnerabilities as affecting organizations in multiple critical infrastructure sectors in the US and around the world. "Successful exploitation of these vulnerabilities — collectively known as 'Access:7' — could result in full system access, remote code execution, read/change configuration, file system read access, log information access, or a denial-of-service condition," CISA said.
Dos Santos says the exposure to potential attacks that organizations face from the vulnerabilities will depend on the sectors within which they operate. Healthcare organizations are likely to have more physical exposure than other sectors because there are lots of public spaces in hospital environments and a lot of interactions with patients that require the use of IT systems. "However, medical devices are rarely exposed to the Internet, which is more common in other sectors, such as financial services," he says.
Dos Santos says attackers would need to have some kind of prior local access to a network in order to exploit the Access:7 vulnerabilities. But for attackers that have local access — via phishing or by exploiting another vulnerability, for instance — the flaws are easy to exploit, he says. The devices can be identified on the network by specific open ports or network fingerprints, such as HTTP banners, which is also not difficult.
"The types of attacks that can be carried out with these vulnerabilities are the same across organizations, but their impact is different," Dos Santos says. "For instance, a data exfiltration in healthcare has a different impact than a data exfiltration in a financial services organization."
Forescout has published a technical report containing full details of the flaws and also a blog post on it as well.
The Access:7 vulnerabilities are another reminder of the often-underestimated risk that organizations face from non-IT devices connected to the Internet. Just this week, another vendor, Armis, disclosed a set of three critical zero-day vulnerabilities in smart-UPS devices from APC, a subsidiary of Schneider Electric. Over 20 million UPS devices — which are used as power backups — worldwide, dating back to 2005, are believed to contain the vulnerabilities which Armis is collectively referring to as TLStorm.
If exploited, the vulnerabilities would allow a remote attacker to take complete control of APCs SmartUPS device and carry out a range of malicious activities including turning the devices on and off or physically destroying the system. Armis, for instance, said it was able to exploit the flaws to cause a vulnerable UPS device to ignite and spew smoke.
Barak Hadad, head of Research at Armis, says since the vulnerabilities can be exploited remotely, in some scenarios attackers would be able to use them to gain entry into the internal corporate network. "After entering the network, the attacker can issue all sorts of attacks, including ransomware or deliberate sabotage," he says. "Since UPS devices are safeguarding mission-critical devices from power failure, taking down a UPS can have severe implications."
According to Hadad, the damage that attackers can do via the exploit will likely vary. "Physical exploitation requires some level of understanding of the inner workings of the UPS," he notes. "Turning the UPS on or off was fairly easy but changing the waveform or making it catch smoke required a deeper level of understanding."