7 supply chain vulnerabilities found in PTC’s Axeda agent

Forescout’s Vedere Labs and CyberMDX discovered seven supply chain vulnerabilities, including three rated critical by CISA, impacting medical and IoT devices that present an immediate risk to healthcare organizations, as well as the financial services and manufacturing sector.

Access:7 could enable hackers to remotely execute malicious code, access sensitive data or alter configuration on medical and IoT devices running PTC’s Axeda remote code and management agent. This disclosure illustrates the problems with supply chain components that Forescout identified in Project Memoria, but this time in a remote management solution.

Access:7 By the Numbers

7

Total vulnerabilities,
including 3 critical

Devices affected
(models)

100+ +

Total manufacturers
(devices affected)

The Impact of Access:7

Over 150 device models from more than 100 device manufacturers are potentially affected by Access:7. Over half of the affected device vendors belong to the healthcare industry (55%), followed by almost a quarter (24%) that develop IoT solutions. The vulnerabilities were found most often in medical imaging (36%) and laboratory (31%) machines.

See the full device list >>

Read the blog >>

Register for the Webinar >>

 

Dive Into the Research

Learn what happens when vulnerabilities in remote access and management agents designed to expedite service on medical and IoT devices are exploited by hackers. This report discloses vulnerabilities in PTC’s Axeda agent, the main findings, common attack scenarios, impact on healthcare and other industries, and mitigation recommendations for device manufacturers and network operators.

Commitment to the Cybersecurity Community

As part of the Access:7 disclosure, Vedere Labs and CyberMDX provided the cybersecurity community with the following artifacts:

  • A technical report in which we discuss each of the seven vulnerabilities and their mitigation in detail, as well as the lengthy disclosure process we followed that led CISA to designate three of the vulnerabilities as critical
  • A script for eyeInspect that detects exploitation attempts against the vulnerabilities in Access:7, which can then be acted on in eyeControl
  • An updated Security Policy Template (SPT) for eyeSight and an updated Device Visibility Addons script for eyeInspect to detect devices running Axeda.
  • A draft of an informational RFC discussing the identified anti-patterns to guide developers in avoiding making the same mistakes while writing future DNS implementations

Risk Mitigation

Mitigations for device manufacturers include updating the Axeda agents, blocking numerous TCP ports and using a secure configuration. Network operators using affected devices should ensure that manufacturers are applying mitigations on their devices.

Complete protection against Access:7 requires patching devices running the vulnerable versions of the Axeda components. PTC has released its official patches and device manufacturers using this software should provide their own updates to customers.

In the technical report, we discuss mitigation strategies for device manufacturers. For network operators, we recommend the following:

  • Discover and inventory devices running Axeda. Forescout has released an updated Security Policy Template (SPT) for eyeSight and an updated Device Visibility Addons script for eyeInspect to detect devices running Axeda. The CyberMDX solution can also identify vulnerable devices.
  • Enforce segmentation controls and proper network hygiene to mitigate the risk from vulnerable devices. Restrict external communication paths and isolate or contain vulnerable devices in zones as a mitigating control if they cannot be patched or until they can be patched.
  • Monitor progressive patches released by affected device vendors and devise a remediation plan for your vulnerable asset inventory, balancing business risk and business continuity requirements.
  • Monitor all network traffic for malicious packets that try to exploit known vulnerabilities or possible 0-days. Malicious traffic should be blocked, or at least alert its presence to network operators. Forescout has released a script for eyeInspect that detects exploitation attempts against the vulnerabilities in Access:7. eyeInspect can then forward the alert to a SIEM/SOAR system for further analysis or enable immediate action via eyeControl, such as assigning a device to a VLAN, instructing the switch to block and isolate a device from the network or use a virtual firewall to restrict specific traffic.

More details about the vulnerabilities and their exploitation are available in our technical report.

 

How Forescout Can Help

Forescout automatically detects medical and IoT assets within your network and organizes them in a detailed inventory listing. This inventory listing will help you recognize whether you have devices affected by Access:7 and where they are located within your network. We then take the assets identified to Access:7 and provide recommended actions that can be taken to remediate the potential risk.

Additionally, the solution will discover any active exploitation attempts against the vulnerabilities in Access:7 and forward actionable alerts to your SIEM for analysis and mitigation of the threat. You can set up rules to track the number of devices affected by this vulnerability and you can monitor the progress of the remediation.

 


About the CyberMDX Cybersecurity Research and Analysis Team

CyberMDX’s research and analyst team regularly works with medical device organizations in the responsible disclosure of security vulnerabilities. The comprehensive threat intelligence analyst team tirelessly works to help protect hospitals and healthcare organizations from malicious attacks on connected medical devices.

The team’s researchers, white hackers and engineers collect information about potential and existing threats to understand attacker motivations, intentions, and methodology and deliver the best protection against attacks and malware.

About Forescout

Forescout Technologies, Inc. actively defends the Enterprise of Things by identifying, segmenting and enforcing compliance of every connected thing. Fortune 1000 companies trust Forescout as it provides one of the most widely deployed, enterprise-class platforms at scale across IT, IoT and OT managed and unmanaged devices. Forescout arms customers with extensive device intelligence, data and policies to allow organizations across every industry to accurately classify risk, detect anomalies and quickly remediate cyberthreats without disruption of critical business assets. Don’t just see it. Secure it.

The Enterprise of Things – Secured.

Take the Next Step

Want to set up a call, meeting or product demo? Didn’t find what you were looking for? We’re here to help.

Contact Us