Access:7

Executive Summary

• Vedere Labs and CyberMDX have identified 7 vulnerabilities affecting the PTC Axeda agent, which we are collectively calling Access:7. Exploiting these vulnerabilities, attackers with network access to a target device could remotely execute code, access its file system or alter system configurations.
• The Axeda solution enables device manufacturers to remotely access and manage connected devices. The use of the affected agent is popular in the healthcare sector, but is also present in other industry verticals, such as financial services and manufacturing.
• A detailed list of 150+ potentially affected devices from 100+ vendors highlights the significance of the vulnerabilities. The list contains several medical imaging and laboratory devices.
• In 2014, Axeda was acquired by PTC. Upon identifying the vulnerabilities in 2021, Vedere Labs & CyberMDX collaborated with PTC to report the issues to CISA, H-ISAC and the FDA, making sure that the affected manufacturers or providers were also notified and given the opportunity to remediate before the public disclosure.
• Mitigations for device manufacturers include updating the Axeda agents, blocking numerous TCP ports and using a secure configuration. Network operators using affected devices should ensure that manufacturers are applying mitigations on their devices.

Remote servicing and its security impact

One of the main advantages of connecting a computing device to the network is being able to manage it remotely for updates, remote operation, or general servicing. Nowadays, many types of devices are remotely managed and that is usually done by someone within the organization that owns the device. There are cases, however, where the device manufacturer or another third-party are the ones performing the service.

Daily, device manufacturers and managed service providers remotely access assets deployed in facilities worldwide to help expedite their services. In some cases, this approach is adopted for efficiency and convenience. In other cases, this is a necessity for business continuity, such as in healthcare during times where COVID-19 limits service personnel from entering hospitals…