PTC issued patches for seven vulnerabilities, three critical, in its Axeda industrial internet of things remote monitoring and management agent Tuesday. The vulnerabilities were discovered by Forescout's Vedere Labs.
The Cybersecurity and Infrastructure Security Agency is expected to issue an alert about the vulnerabilities today.
PTC acquired Axeda in 2014, producing Axeda alongside its ThingWorx IIoT remote management solutions until 2019 when it sunset Axeda. However, given the longevity of IIoT devices, Axeda is still in use in several systems. Based on Forescout telemetry, it is particularly popular in active use within the medical sector, particularly lab testing and imaging.
Unlike traditional remote management software for networks, Axeda is pre-installed in devices.
"It's a tool that typically the device manufacturers will install on the fleet of devices that are sold to customers, and will use that to either provide updates or do some remote servicing, remote maintenance and things like that right on a lot of devices at the same time," said Daniel Dos Santos, head of research at Vedere.
The critical vulnerabilities include unauthenticated commands in the main agent service that can retrieve information and modify configurations, and a remote server over port 3076 that will accept commands to download a file to the device, upload a file from the device, run program, query directory/file information, shutdown the server, shutdown the main agent, and retrieve the version of the Axeda agent. It also includes vendor configuration problems where manufacturers using Axeda installed hard-coded credentials across a fleet of devices.
Forescout believes that with common installations of industrial products, attackers would need local access to the network to take advantage of the vulnerabilities. But with medical devices, particularly in locations with relatively flat networks spanning extremely diverse users, getting local access may not be a huge problem.
The hard-coded credentials problem may have been discovered in part in 2016 when a researcher noticed default credentials installed across ATMs. That discovery was never issued a CVE and does not appear to have received any traction outside a Spanish language blog. Vedere only became aware of the blog after its own research.
"We didn't see any mention to any sort of disclosure process. It really seems, at least to me, like a guy who found it, put it on the internet and that's it. Which kind of brings us to why coordinated vulnerability disclosure and doing it the right way is important," said Dos Santos.
Four other vulnerabilities were also discovered in Axeda agent. Of particular concern, the main agent allows for unrestricted read access to any file on the disk. The main agent can be shut down, and many of its services can be crashed. Additionally, a text log is exposed.
Axeda released an update for manufacturers to implement. Enterprises, Vedere recommends, should inventory and segment devices using the Axeda while they await updates.