Feds Warn of 7 Flaws Affecting Medical Devices, IoT Gear'Access:7' Vulnerabilities Could Allow Hackers to Control, Manipulate Devices
Federal authorities are warning about a set of seven vulnerabilities affecting a software agent used for the remote management of an array of medical devices and other connected devices used in other industries. If exploited, the flaws could enable attackers to take full control of devices, access sensitive data or alter configurations in affected devices.
The flaws affect all versions of software vendor PTC's Axeda agent and Axeda Desktop Server for Windows, which are remote asset connectivity software used as part of a cloud-based IoT platform, the regulators say.
The group of flaws - dubbed "Access:7" - are also the subject of a new report issued on Tuesday by security researchers at Forescout’s Vedere Labs and CyberMDX, which discovered the vulnerabilities. Forescout acquired CyberMDX last month.
The researchers estimate that "hundreds of thousands" of devices globally could be affected by the vulnerabilities.
PTC in an advisory about the flaws on its website says it has no indication that any of these vulnerabilities has been or is being exploited.
CISA in its alert says the vulnerabilities include:
- Use of hard-coded credentials;
- Missing authentication for critical function;
- Exposure of sensitive information to an unauthorized actor;
- Path traversal;
- Improper check or handling of exceptional conditions.
Three of the vulnerabilities are rated critical by CISA because they could enable hackers to remotely execute malicious code and take full control of devices, access sensitive data or alter configurations in affected devices, the Forescout research report says.
The affected Axeda software are web-based technologies that enable device manufacturers to remotely access and manage connected devices. "The affected agent is most popular in healthcare but is also present in other industries, such as financial services and manufacturing," the researchers' report says.
Range of Devices Affected
The problems potentially affect more than 150 different devices - including medical imaging and laboratory equipment - from more than 100 vendors, the researchers say.
A Forescout spokesman says the vulnerabilities affect 17.8 million "unique device profiles" globally.
Daniel dos Santos, head of security research at Forescout, tells Information Security Media Group: "Although we do not have a precise number of vulnerable device instances in the world, we have observed close to 2,000 instances on data from customer networks. Based on past experiences with vulnerability disclosure, we can safely assume that will translate into hundreds of thousands of instances in the wild."
According to Forescout, besides medical devices in the healthcare sector, devices used in other industries that are also vulnerable to the flaws include:
- Vending machines;
- Cash management systems;
- Label printers;
- Barcode scanning systems;
- SCADA systems;
- Asset monitoring and tracking solutions;
- IoT gateways;
- Machines such as industrial cutters
"IoT devices use a wide variety of operating systems, hardware and software," Forescout says. "Typically, IoT manufacturers do not allow customers to install software, including security agents, on their devices. In the case of Access:7, PTC depends on IoT manufacturers to install the Axeda agent before their IoT devices are sold to customers" in an original equipment manufacturer approach, the report says.
The FDA in its alert says successful exploitation of the vulnerabilities could allow an unauthorized attacker to take full control of the host operating system, resulting in full system access, remote code execution, read/change configuration, file system read access, log information access and a denial-of-service condition.
"Depending on its use in the medical device, these vulnerabilities could result in changes to the operation of the medical device and impact the availability of the remote support functionality," the FDA says.
The CISA and FDA alerts say that to mitigate the vulnerabilities, PTC recommends that affected manufacturers take steps, including:
- Upgrade to Axeda agent Version 6.9.2 build 1049 or 6.9.3 build 1051 when running older versions of the Axeda agent.
- Configure Axeda agent and Axeda Desktop Server to only listen on the local host interface 127.0.0.1.
- Provide a unique password in the AxedaDesktop.ini file for each unit.
- Never use ERemoteServer in production.
- Delete ERemoteServer file from host device.
- Remove the installation file.
- Configure the Axeda agent for the authentication information required to log in to the Axeda Deployment Utility.
- Upgrade the Axeda Desktop Server to Version 6.9 build 215. The Axeda agent loopback-only configuration is only available in Version 6.9.1 and above. Upgrading to Axeda agent 6.9.1 or above is required.
ForeScout says PTC has released patches, and device manufacturers using the affected software should provide their own updates to customers.
PTC did not immediately respond to ISMG's request for comment on the vulnerabilities.
Supply Chain Woes
The PTC Axeda software vulnerabilities are among the latest cybersecurity flaws involving supply chain vendors and third-party software components used across healthcare and many other industries.
In December, the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center also warned healthcare and public health sector entities of potential threats involving flaws in the Apache Log4j logging library.
In response to the recent rash of security issues involving third-party components, some healthcare industry leaders are renewing calls for software bills of materials to become a standard practice among medical technology suppliers.
"The environments that healthcare entities work in are extremely complex, with thousands, tens of thousands and potentially hundreds of thousands of network connections," Curt Miller, executive director of the Healthcare Supply Chain Association's Committee for Healthcare eStandards, said in a recent interview with ISMG.
"If they're not aware of what's connected to the network and what's involved in those connections, that's a potential threat that they can't deal with," he said.