Critical Flaws in Remote Management Agent Affect Thousands of Medical Devices


Critical vulnerabilities in a software agent used for remote management could allow hackers to execute malicious code and commands on thousands of medical devices and other types of devices in healthcare, manufacturing and other sectors. Fixes have been released by the software agent developer, but most affected device vendors will need to release their own updates.

In the meantime, users should mitigate the risk by performing network segmentation and blocking some of the communication ports that can be used to exploit vulnerabilities.

Seven vulnerabilities on the Axeda platform

Seven flaws ranging in severity from critical to medium have been discovered in the Axeda platform by researchers from Forescout and CyberMDX. Axeda was a standalone solution, but is now owned by software and IT services company PTC, which develops solutions for the industrial IoT market.

The Axeda platform is composed of a server, cloud-based or on-premises, and multiple software agents that enable remote asset management and monitoring. These agents have versions for Windows and Linux and are usually integrated by device manufacturers directly into their products.

Forescout has identified over 150 potentially vulnerable devices using Axeda from over 100 different manufacturers. More than half of the devices are used in healthcare, especially laboratory equipment, surgical equipment, infusions, radiotherapy, imaging, etc. Others have been found in financial services, retail, manufacturing and other industries and include ATMs, vending machines, cash management systems, label printers, systems barcode scanning, SCADA systems, asset monitoring and tracking solutions, IoT gateways and machinery such as industrial cutters.

The seven vulnerabilities, which Forescout dubbed Access:7, include three critical ones that can lead to remote code execution. A vulnerability (CVE-2022-25251) arises from unauthenticated commands present in the Axeda xGate.exe agent that allow an attacker to retrieve information about a device and modify the configuration of the agent. By modifying the configuration, an attacker could direct the agent to a server they control and hijack the functionality.

Another critical flaw (CVE-2022-25246) is in the AxedaDesktopServer.exe component, which is based on the UltraVNC remote desktop tool. This service is not enabled in all cases, but when enabled it uses a hard-coded password.

The component itself is not sourced from PTC with hard-coded credentials, but rather must be defined during deployment by the vendor. What often happens is that some vendors set the same password for their entire product line, Daniel dos Santos, head of security research at Forescout, told CSO. So not all devices in the world using Axeda will have the same password, but devices of a certain type from the same vendor might.

The third critical vulnerability (​​CVE-2022-25247) is in another Axeda component called EremoteServer.exe. This is a deployment tool that should only be used by the vendor when configuring an agent for a product line, but in some cases the tool is not removed after this and is deployed with the agent.

The protocol supported by the ERemoteServer service on port 3076 supports the following actions: upload a file to the device, download a file from the device, run a program, request directory/file information , shut down ERemoteServer, shut down xGate, and recover Axeda’s Agent version, the researchers explain. These actions allow remote code execution.

Other vulnerabilities include CVE-2022-25252, a denial of service issue in the xBase39.dll library that can cause the agent service to crash via a malicious request; CVE-2022-25248, information leak via live event log provided by ERemoteServer without authentication on port 3077; CVE-2022-25250, a denial of service issue that stems from xGate accepting certain commands on port 3011 without authentication; and CVE-2022-25249, a directory traversal flaw in the web service provided by xGate on ports 56120 and 56130 that could allow an attacker to read any file on disk to which the agent has access.

Exploitation of these vulnerabilities requires an attacker to be on the same network segment as the vulnerable devices, but this can be achieved in a number of ways, from infecting a workstation via spear phishing to exploiting vulnerabilities in publicly available services and then performing a sideways move.

In the healthcare industry, there are many potential attack vectors, including guest Wi-Fi networks, network outlets and network-connected devices that visitors can access, public portals used for appointments or data sharing, etc., the Forescout researchers said in their report.

Mitigating Axeda vulnerabilities

PTC has released updated versions of agent software, but most users will have to wait for their device manufacturers to release updates. The updated agent versions are 6.9.1 build 1046, 6.9.2 build 1049, and 6.9.3 build 1051. Device vendors must also configure the Axeda agent and ADS service to only listen on the localhost 127.0.0.1 interface and prevent exposure open ports on the local network and remove all deployment utilities from production devices.

Users should scan and inventory all of their devices that run Axeda agents, then apply appropriate network segmentation to prevent communication with unauthorized systems or servers. They should also consider blocking some of the ports if the functionality provided through them is not needed: 56120 and 56130, the web service for the Axeda agent; 3011, which can be used to send a stop signal to the agent; 3031, for agent configuration; 5920 and 5820 for optional VNC remote desktop service; 3077, for the event log which is only meant to be used during deployment and 3076, which provides code execution and filesystem access through the ERemoteServer deployment tool.

“If you don’t need them enabled, it’s easier to monitor traffic on those ports, because you should expect a very steady type of traffic there,” dos Santos says. “So I think on the bright side, even if the patch is hard, the mitigation is more immediate in this case.”

Forescout notified CISA, the Health Information Sharing and Analysis Center (H-ISAC), and the FDA. Disclosure coordination took 210 days and so far around 10 vendors have confirmed they may be affected, but the actual number is expected to be much higher.

Copyright © 2022 IDG Communications, Inc.

Previous How to Disable Tablet Mode in Google Chrome
Next Probe calls former UK speaker a 'tyrant' and 'serial liar'