Critical flaws in remote management agent impacts thousands of medical devices

Critical vulnerabilities in a software agent that’s used for remote management could allow hackers to execute malicious code and commands on thousands of medical and other types of devices from healthcare, manufacturing and other industries. Patches have been issued by the software agent’s developer, but most of the affected device vendors will need to release their own updates.

In the meantime, users should mitigate the risks by doing network segmentation and blocking some of the communication ports that can be used to exploit the vulnerabilities.

Seven vulnerabilities on the Axeda platform

Seven flaws ranging in severity from critical to medium were discovered in the Axeda platform by researchers from Forescout and CyberMDX. Axeda was a standalone solution, but is now owned by computer software and services company PTC, which develops solutions for the industrial IoT market.

The Axeda platform is made up of a server, cloud-based or on-premise, and several software agents that allow remote management and monitoring of assets. These agents have versions for both Windows and Linux and are usually integrated by device manufacturers directly into their products.

Forescout has identified over 150 potentially vulnerable devices using Axeda from over 100 different manufacturers. Over half of the devices are used in healthcare, specifically lab equipment, surgical equipment, infusion, radiotherapy, imaging and more. Others were found in the financial services, retail, manufacturing and other industries and include ATMs, vending machines, cash management systems, label printers, barcode scanning systems, SCADA systems, asset monitoring and tracking solutions, IoT gateways and machines such as industrial cutters.

The seven vulnerabilities, which Forescout has dubbed Access:7 include three critical ones that can result in remote code execution. One vulnerability (CVE-2022-25251) stems from unauthenticated commands present in the Axeda xGate.exe agent that allow an attacker to retrieve information about a device and change the agent’s configuration. By changing the configuration, an attacker could point the agent to a server they control and hijack the functionality.

Another critical flaw (CVE-2022-25246) is located in the AxedaDesktopServer.exe component, which is based on the UltraVNC remote desktop tool. This service is not enabled in every case, but where it is enabled it uses a hard-coded password.

The component itself doesn’t come from PTC with hard-coded credentials, but rather it must be set during deployment by the vendor. What often happens is that some vendors set the same password for their entire product line, Daniel dos Santos, the head of security research at Forescout, tells CSO. So, not all devices in the world using Axeda will have the same password, but devices of a certain type from the same vendor might.

The third critical vulnerability (​​CVE-2022-25247) is located in yet another Axeda component called EremoteServer.exe. This is a deployment tool that should only be used by the vendor when configuring an agent for a product line, but in some cases the tool is not deleted after this operation and is deployed along with the agent.

The protocol supported by the ERemoteServer service over port 3076 supports the following actions: download a file to the device, upload a file from the device, run program, query directory/file information, shutdown ERemoteServer, shutdown xGate, and retrieve the version of the Axeda agent, the researchers explain. These actions enable remote code execution.

Other vulnerabilities include CVE-2022-25252, a denial-of-service issue in the xBase39.dll library that can lead to an agent service crash through a malicious request; CVE-2022-25248, an information leak through the live event log provided by ERemoteServer with no authentication on port 3077; CVE-2022-25250, a denial-of-service issue that stems from xGate accepting certain commands on port 3011 without authentication; and CVE-2022-25249, a directory traversal flaw in the web service provided by xGate on ports 56120 and 56130 that could allow an attacker to read any file on disk that the agent has access to.

Exploiting these vulnerabilities requires an attacker to be on the same network segment as the vulnerable devices, but this can be achieved in many ways, from infecting a workstation via spear-phishing to exploiting vulnerabilities in publicly facing services and then performing lateral movement.

In the healthcare sector there are many potential attack vectors including guest Wi-Fi networks, network sockets and network-connected devices that can be accessed by visitors, public portals used for appointments or data sharing and more, the Forescout researchers said in their report.

Mitigating the Axeda vulnerabilities

PTC has released updated versions of the agent software, but most users will have to wait for their device manufacturers to release updates. The updated agent versions are version 6.9.1 build 1046, version 6.9.2 build 1049 and version 6.9.3 build 1051. Device vendors should also configure the Axeda Agent and ADS Service to only listen on the localhost interface and prevent exposing open ports to the local network and remove all deployment utilities from production devices.

Users should scan and inventory all their devices that are running Axeda agents and then enforce proper network segmentation from them preventing communication to unauthorized systems or servers. They should also consider blocking some of the ports if the functionality provided through them is not needed: 56120 and 56130, the web service for the Axeda agent; 3011, which can be used to send a shutdown signal to the agent; 3031, for the agent configuration; 5920 and 5820 for the optional VNC remote desktop service; 3077, for the event log that’s only supposed to be used during deployment and 3076, which provides code execution and file system access through the ERemoteServer deployment tool.

“If you don’t need them to be to be enabled, it’s easier to monitor traffic on those ports, because you should be expecting a very regular type of traffic there,” dos Santos says. “So, I think on the bright side, even if patching is hard, mitigation is more immediate in this case.”

Forescout has notified CISA, the Health Information Sharing and Analysis Center (H-ISAC) and the FDA. Coordination of the disclosure took 210 days, and so far around 10 vendors have confirmed they might be affected, but the actual number is expected to be much higher.