Due to significant vulnerabilities in connected device management platform Axeda, more than 150 internet of things (IoT) devices used for commercial purposes might be vulnerable to criminal takeover. The trio of remote code execution (RCE) flaws discovered by security experts at Forescout’s Vedere Labs and CyberMDX might also allow attackers to access sensitive data or reprogram compromised devices.
Most of the devices impacted by these and four other lower-severity flaws, termed ‘Access:7,’ are used for medical purposes. All seven issues in Axeda Agent version 6.9.3 have been addressed by Axeda, which is owned by PTC, a Massachusetts-based industrial IoT software business. All prior versions have been shown to be susceptible.
According to a Forescout blog post published on March 8, more than half of the compromised devices (54%) are deployed in the healthcare business, and medical devices are most typically employed for imaging (36%) and lab (31%) applications. IoT solutions account for another 24%.
ATMs, cash management systems, barcode scanning systems, vending machines, label printers, SCADA systems, asset monitoring and tracking solutions, IoT gateways, and industrial cutters are all affected equipment. Forescout, a cybersecurity firm specializing in the ‘enterprise of things,’ claimed it had discovered more than 2,000 Axeda-enabled devices on client networks.
The two most serious RCE vulnerabilities, both with CVSS scores of 9.8, are related to the usage of hardcoded credentials by the AxedaDesktopServer.exe service (CVE-2022-25246) and a weakness in the ERemoteServer.exe service that allows for complete file system access (CVE-2022-25247). The other major fault, which has a CVSS score of 9.4, occurred because the Axeda xGate.exe agent allows unauthenticated instructions to collect device information and alter the agent’s configuration (CVE-2022-25251).
There are four medium-severity problems:
- The Axeda xGate.exe agent has denial of service (CVE-2022-25250) and information disclosure through directory traversal (CVE-2022-25249) vulnerabilities.
- A separate denial-of-service attack causes Axeda services employing xBase39.dll to crash (CVE-2022-25252).
- A vulnerability in the ERemoteServer.exe service (CVE-2022-25248) allows data to be leaked.
According to Vedere Labs, end-users should patch susceptible devices as quickly as feasible. Device makers employing this software should give their patches to customers. In a technical report that accompanied the blog post, Vedere Labs suggested mitigation options for device makers and network operators.
