Warning Issued About Access:7 Vulnerabilities Affecting IoT and Medical Devices

2020 Healthcare Data Breach Report

Share this article on:

7 vulnerabilities dubbed Access:7 have been identified in the web-based technologies PTC Axeda and Axeda Desktop Server, which are used to allow one or more people to securely view and operate the same remote desktop via the Internet. If exploited, an attacker could gain full system access, remotely execute code, trigger a denial-of-service condition, read and change configurations, and obtain file system read access and log information access. Three of the vulnerabilities are rated critical and have a CVSS severity score of 9.8 out of 10.

PTC Axeda and Axeda Desktop Server are remote asset connectivity software solutions that are used as part of a cloud-based IoT platform. The software is extensively used in medical and Internet-of-Things (IoT) devices to manage and remotely access connected devices, including multiple medical imaging and laboratory devices. At present, none of the vulnerabilities are believed to have been exploited in the wild.

The vulnerabilities affect all versions of the software. They are:

  • CVE-2022-25246 – Hard-coded credentials – CVSS Severity Score 9.8/10
  • CVE-2022-25247 – Missing authentication for critical function – CVSS Severity Score 9.8/10
  • CVE-2022-25251 – Missing authentication for critical function – CVSS Severity Score 9.8/10
  • CVE-2022-25249 – Improper limitation of a pathname to a restricted directory – CVSS Severity Score 7.5/10
  • CVE-2022-25250 – Missing authentication for critical function – CVSS Severity Score 7.5/10
  • CVE-2022-25252 – Improper check or handling of exceptional conditions – CVSS Severity Score 7.5/10
  • CVE-2022-25248 – Exposure of sensitive information to unauthorized individuals – CVSS Severity Score 5.3/10

The vulnerabilities were identified by researchers at Forescout’s Vedere Labs and CyberMDX. The vulnerabilities are known to affect more than 150 devices from over 100 vendors, which amounts to hundreds of thousands of devices globally with over half of the vulnerable devices used by healthcare organizations.  The vulnerabilities also affect a range of other devices such as ATMs, IoT gateways, label printers, SCADA systems, barcode scanners, vending machines, and asset monitoring and tracking solutions.

Patching the vulnerabilities is not straightforward and these are supply chain vulnerabilities. These vulnerable components are used in several different ways by device manufacturers, and healthcare organizations will be required to wait for fixes to be issued by the device manufacturers.

PTC has made the following recommendations:

  • Upgrade to Axeda agent Version 6.9.2 build 1049 or 6.9.3 build 1051 when running older versions of the Axeda agent.
  • Configure Axeda agent and Axeda Desktop Server (ADS) to only listen on the local host interface 127.0.0.1.
  • Provide a unique password in the AxedaDesktop.ini file for each unit.
  • Never use ERemoteServer in production.
  • Make sure to delete ERemoteServer file from host device.
  • Remove the installation file, for example: Gateway_vs2017-en-us-x64-pc-winnt-vc14-6.9.3-1051.msi
  • When running in Windows or Linux, only allow connections to ERemoteServer from trusted hosts and block all others.
  • When running the Windows operating system, configure Localhost communications (127.0.0.1) between ERemoteServer and Axeda Builder.
  • Configure the Axeda agent for the authentication information required to log in to the Axeda Deployment Utility.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On