Security researchers have identified critical, trivally network-exploitable vulnerabilities in commonly used remote servicing software for healthcare and internet of things products, affecting over 150 devices from well-known vendors.
Forescout researchers discovered that the PTC Axeda xGate agent software contains flaws that let attackers run arbitrary code remotely, access device file systems, and change their system configurations at will.
More than half of the affected devices are used in the healtcare sector, Forescout said.
Forescout listed a number of vendors such as Abbott, Agilent, Bayer, Carestream, GE Healthcare, and Varian whose devices have been confirmed to be vulnerable.
However, the security vendor believes devices from other, well-known companies such as WindRiver, Supermicro, Texas Instruments, Sakura, Roche, Netcomm, Leica, HP, Intel and Dell could also be affected by the PTC Axeda vulnerability.
The United States government Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert for the PTC Axeda agent and Desktop Server products, advising users to upgrade to newer versions of the software, delete dangerous files, and harden system configurations.
CISA said the vulnerabilties are easy to exploit.
Two bugs indexed with the Common Vulnerabilities and Exposures system as CVE-2022-25426 and CVE-25247 have a severity rating of 9.8 out of 10.
Hard-coded login credentials in the Axeda xGate agent can be used to fully compromise and remotely control a device, while the ERemoteserver.exe binary gives attackers full file system access and remote code execution, Forescout said.
Although the local hardcoded credentials that the AxedaDesktopServer uses are encrypted, this is done with a global symmetrical key from UltraVNC which PTC's remote access program is based on, making decryption easy.
The ERemoteServer executable also leaks live event logs in text format to un-authenticated attackers.
Unrestricted file system read access via the webserver in the xGate agent can leak crucial information.
A third critical bug in xGate exe lets attackers not only retrieve information about a device without authentication, but also change the agent software configuration.
Attackers can also shut down the xGate agent remotely, and crash all Axeda services with a buffer overflow.
PTC has acknowledged the bugs, and issued its own advisory for them.