More than 150 Internet of Things (IoT) devices, including many used in healthcare, from more than 100 companies are at increased risk of attack due to a set of seven vulnerabilities in third-party remote access components in devices.
Three of the bugs are rated critical because they allow attackers to remotely execute malicious code on vulnerable devices to gain full control over them. The rest of the vulnerabilities have a medium to high severity rating and provide an opportunity for attackers to steal data or perform denial-of-service attacks.
Vulnerabilities exist in several versions of the PTC Axeda Agent and PTC Desktop Server, technologies that many IoT vendors are implementing into their devices for remote access and control. The researchers at Forescout’s Vedere Labs and CyberMDX who discovered the vulnerabilities track them together as “Access: 7”.
In a report summarizing their findings this week, the researchers described the buggy component as being particularly prevalent in Internet-connected devices used in the healthcare sector, such as medical imaging, laboratory, radiation therapy, and surgical technology. Forescout reported that anonymous scanning of client networks revealed about 2,000 unique devices with vulnerable versions of Axeda. Of these, 55% were deployed in healthcare organizations, 24% in IoT product development organizations, 8% in IT, 5% in financial services, 4% in manufacturing, and 4% in other verticals.
Devices affected, in addition to healthcare-related technologies, include ATMs, SCADA systems, vending machines, cash management systems, IoT gateways, and asset monitoring technologies. All versions of Axeda technology below 6.9.3 are vulnerable, according to Forescout, and PTC has released patches for all of the vulnerabilities.
Daniel dos Santos, Head of Security Research at Forescout, says the vulnerabilities are proof that remote control tools are dangerous not only in the IT world, as attacks like last year’s Kaseya attack showed, but also for the IoT. and connected to the Internet. medical technologies.
“Therefore, it is important that organizations have a list of devices that are managed remotely and understand how they are managed,” he says. “Organizations must first identify vulnerable devices on the network and then ensure they are not affected by those vulnerabilities by segmenting their networks and restricting traffic through vulnerable ports.” Then they should fix the devices whenever possible, says dos Santos.
The set of seven vulnerabilities identified by Forescout and CyberMDX include hard-coded credentials, lack of authentication, incorrect path name constraint, and improper exception checking or handling.
Three critical remote code execution errors have been reported to PTC by vendors: CVE-2022-25251 in the Axeda xGate.exe agent, CVE-2022-25246 in AxedaDesktopServer.exe, and CVE-2022-25247 in the ERemoteServer.exe service.
The vulnerabilities affect various components of the agent, says dos Santos. This includes a configuration tool that should not be present on production devices, a desktop server tool, a gateway component, and a shared library. “Therefore, it is quite possible – and it often happens – that not all vulnerabilities will be present on the device,” he says.
The most common vulnerabilities will be those that affect the gateway and the library. They are: CVE-2022-25249, CVE-2022-25250; CVE-2022-25251 and CVE-2022-25252, dos Santos says.
CIS Consulting
The US Cybersecurity and Infrastructure Agency (CISA) described the Access: 7 vulnerabilities as affecting organizations in several critical infrastructure sectors in the US and worldwide. “Successfully exploiting these vulnerabilities — collectively known as Access 7 — could result in full system access, remote code execution, read/change configuration, read access to the file system, access to log information, or a denial of service. “, CISA said.
Dos Santos says the likelihood of potential attacks organizations face due to vulnerabilities will depend on the sectors in which they operate. Healthcare organizations are likely to be more physically impacted than other sectors because hospitals have many public spaces and many patient interactions that require the use of IT systems. “However, medical devices rarely go online, which is more common in other sectors such as financial services,” he says.
Dos Santos says attackers would need some sort of prior local network access to exploit the Access:7 vulnerabilities. But for attackers who have local access — such as through phishing or exploiting another vulnerability — the flaws are easy to exploit, he says. Devices can be identified on the network by specific open ports or network fingerprints, such as HTTP banners, which is also easy.
“The types of attacks that can be carried out using these vulnerabilities are the same in different organizations, but their impact is different,” says dos Santos. “For example, data theft in healthcare has a different meaning than data theft in a financial services organization.”
Forescout has published a technical report containing full details of the shortcomings, as well as a blog post.
The Access:7 vulnerabilities are another reminder of the often underestimated risk that organizations face from non-IT devices connected to the Internet. Just this week, another vendor, Armis, disclosed a set of three critical zero-day vulnerabilities in Smart-UPS devices from APC, a subsidiary of Schneider Electric. More than 20 million UPS devices used as backup power worldwide since 2005 are believed to contain vulnerabilities that Armis collectively refers to as TLStorm.
If exploited, these vulnerabilities could allow a remote attacker to take complete control of an APC SmartUPS device and perform a range of malicious actions, including powering devices on and off or physical destruction of the system. Armis, for example, said it was able to use flaws to cause a vulnerable UPS device to catch fire and spew smoke.
Barak Hadad, head of research at Armis, says that because the vulnerabilities can be exploited remotely, in some scenarios attackers could use them to break into an internal corporate network. “After entering the network, an attacker can launch all sorts of attacks, including ransomware or deliberate sabotage,” he says. “Because UPS devices protect critical devices from power outages, a UPS shutdown can have serious consequences.”
According to Hadad, the damage that attackers can cause with an exploit is likely to be different. “Physical operation requires a certain level of understanding of the internal workings of a UPS,” he notes. “Turning the UPS on or off was fairly simple, but changing the waveform or creating smoke required a deeper understanding.”