Critical Access:7 vulnerabilities impact ATMs and Medical devices

by Ugnius Kiguolis - - 2022-03-08

The set of vulnerabilities named Access:7 have been discovered in PTC's Axeda agent

Supply-chain vulnerabilities allow remote access Medical and IoT devices can be accessed by attackers due to Access:7 flaw batch

Supply chain flaws impact ATMs, medical and IoT devices and can be weaponized to gain unauthorized access. The PTC's Axeda agent is a solution used for remote access and management by over 100 vendors. These bugs potentially affect more than 150 device models. Three of these vulnerabilities have a severity code of 9.4 which is a critical rate.^[1] Vulnerable versions of the Axeda agent can lead to remote code execution in devices.

This PTC's Axeda solution has a cloud platform and allows device manufacturers to establish the connectivity to remote monitor, manage and service a wide range of machines that are connected.^[2] Developed by Parametric Technology Corporation, the platform provides telemetry data from IoT devices on the network and the option or remote service by locally deployed agents.

Access:7 could enable hackers to remotely execute malicious code, access sensitive data or alter configuration on medical and IoT devices running PTC’s Axeda remote code and management agent.

These Axeda agents run on various connected systems, sensors, machines. It runs on machines used in the healthcare industry and this is one of the main sectors of use. this fact makes such devices an attractive target of such supply-chain attacks.^[3]

Critical bugs leading to remote access on medical devices

Forescout Verde Labs and CyberMDX researchers list the issues with these critical remote access vulnerabilities.^[4] The discovery shows that all Axeda agent versions lower than 6.9.3 can be vulnerable to the set of 7 security bugs. The bundle is dubbed Access:7. Most problems related to the exploitation of these security flaws are related to information disclosure, denial-of-service attacks,^[5] and remote arbitrary code execution.

The exploitation of the vulnerabilities can enable attackers to run any of the processes and malicious code, access and obtain sensitive data. However, threat actors can alter configurations on medical IoT devices that run the PTC's Axeda agent. This is a major issue, especially when there are 100 impacted device vendors out there.

55% belong to the particular healthcare sector. Customers with devices that run the Axeda have been identified with the majority of them in the healthcare sector. These vulnerable devices include AMTs, vending machines, cash management systems, barcode scanning systems., label printers, added monitoring and tracking solutions, industrial cutters.

Seven major security flaws

CVE-2022-25246 flaw with the CVSS score of 9.8. The exploitation of the flaw can enable the remote takeover of a device.
CVE-2022-25247 bug has a severity rate of 9.8. The flaw can be leveraged to send specially crafted commands to obtain remote code execution and full access to the system.
CVE-2022-25251 with a CVSS score of 9.4. The missing authentication in the Axeda xGate.exe agent could be used to modify the configuration.
CVE-2022-25249 with a CVSS score of 7.5 is the directory traversal flaw that could allow the unauthenticated attacker to obtain access to file systems and read access on the webserver.
CVE-2022-25250 is another one with a severity of 7.5 score. This bug is a denial-of-service flaw that can lead to attacks by injecting the undocumented command.
CVE-2022-25252 bug with CVSS score of 7.5. The buffer overflow vulnerability results in a DDoS attack if exploited.
CVE-2022-25248 has a severity score of 5.3. This security bug exposes the live event log to unauthenticated parties.

The bundle of critical security bugs can create major issues if successfully exploited. Attackers can get remote malicious code execution capability, take full control of the affected devices and access or obtain sensitive data, change configurations, shut down services and devices. This can create consequences of health issues since these flaws are mainly distributed in healthcare industries.

Users can upgrade to Axeda agent version 6.9.1 build 1046, 6.9.2 build 1049, 6.9.3 build 1051 to mitigate the flaws and avoid possible exploitations.

About the author

Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

References

^ Lily Hay Newman. Critical Bugs Expose Hundreds of Thousands of Medical Devices and ATMs. Wired. Breaking news from the world.
^ Access:7 Affected Devices. Cybermdx. Cyber security team.
^ Maria Korolov. Supply chain attacks show why you should be wary of third-party providers. CSOonline. IT and cyber security news and analysis.
^ How Supply Chain Vulnerabilities Can Allow Unwelcomed Access to Medical and IoT Devices. Forescout. Supply chain vulnerability reports.
^ What is a denial-of-service (DoS) attack?. Cloudflare. DDoS attack research reports.