7 New Vulnerabilities Threaten Supply Chain, Medical Device Security

March 08, 2022 - Forescout's global research team, Vedere Labs, and CyberMDX discovered seven vulnerabilities that impact the PTC Axeda agent and threaten supply chain and medical device security. The vulnerabilities range from medium to critical severity in terms of Common Vulnerability Scoring System (CVSS) ratings.

The vulnerabilities, collectively named Access:7, may allow threat actors to remotely execute code, alter system configurations, and access files.

Access:7 Vulnerabilities: An Overview

Over 150 devices from more than 100 vendors may be affected by the Access:7 vulnerabilities. Organizations use the PTC Axeda solution to manage and remotely access connected devices, which is why it is extremely prevalent in the healthcare sector. More than half of the impacted devices stem from the healthcare sector.

The vulnerabilities impact multiple medical imaging and laboratory devices and are difficult to patch due to the fact that the impacted component is used across the supply chain.

"This component is typically used for remote access and remote management of medical devices in hospitals or any sort of healthcare institution. The component is put into devices by the manufacturers to provide things like remote maintenance, updates, and configuration changes," Daniel dos Santos, head of security research at Forescout, told HealthITSecurity.

"Seven vulnerabilities were found in this component, and they allow for things like remote code execution which, in non-technical terms, means that somebody can take full control of a device based on the functionality of that agent and the way that it was implemented without having the proper authentication."

Essentially, an attacker with access to a network-connected device that contains the Access:7 vulnerabilities could take control of the device, change lab results, exfiltrate data, or even deny patient care. Three of the seven vulnerabilities may result in remote code execution (RCE). Two could cause information disclosure, and the other two may enable Denial-of-Service (DoS) conditions.

Two of the RCE vulnerabilities (CVE-2022-25246 and CVE-2022-25247) have a CVSS score of 9.8 out of 10. CVE-2022-25246 allows hackers to decrypt credentials easily, and CVE-2022-25247 will enable attackers to download and upload files to the device, run programs, and query directory and file information.

What Healthcare Organizations Can Do to Mitigate Risk

"The real problem is that patching these vulnerabilities is difficult because we're talking about a supply chain vulnerability that affects one component that is then used in several different ways by several different vendors," dos Santos said.

"The issue is that a hospital that has devices coming from several different vendors will have to wait for all those vendors to issue their patches according to their own timelines and so on, based on the same set of vulnerabilities."

The Vedere Labs report likened the Access:7 vulnerabilities to the Kaseya cyberattack in July 2021. Attackers exploited a vulnerability on Kaseya's remote servicing solution to deploy ransomware on thousands of organizations. The large-scale cyberattack pointed to severe gaps in supply chain security.

"The impact that you have when you find a supply chain vulnerability is much larger because it's just used by many vendors and many devices," dos Santos explained.

Vedere Labs recommended patching devices whenever possible and monitoring the network for anomalies and malicious activity. Healthcare organizations should also prioritize identifying all devices on their organization's network that are vulnerable. This is a tall task considering many healthcare organizations struggle to keep an inventory of connected devices.

dos Santos recommended implementing automated network monitoring tools to assist with tracking what devices are on a network and what components are running on those devices. Researchers largely found the Axeda agent present in imaging and lab machines more than any other device type.

Organizations should also enforce network segmentation controls and practice cyber hygiene to mitigate medical device security risks. Patching is crucial, but fine-grained security controls are essential to mitigating the risks of complex vulnerabilities.

"We believe that the distribution of Axeda agents found across industry verticals is evidence that medical devices are being remotely serviced more often than other types of devices," the report concluded.

"This research also shows that several medical device vendors chose to adopt a (flawed) third-party solution for servicing operations instead of developing this capability in-house."

The research further underscored the potential damage of supply chain vulnerabilities. They are difficult to patch, easy to exploit, and the software components are often widespread. Healthcare organizations should work with entities across the supply chain and within their organizations to mitigate risk.