Multiple Vulnerabilities in PTC Axeda Agent and Axeda Desktop Server Could Allow for Remote Code Execution

MS-ISAC ADVISORY NUMBER:

2022-034

DATE(S) ISSUED:

03/09/2022

OVERVIEW:

Multiple vulnerabilities have been discovered in PTC Axeda Agent and Axeda Desktop Server, the most severe of which could allow for remote code execution. PTC Axeda is a cloud based remote access solution commonly used for devices within the healthcare industry. Successful exploitation of these vulnerabilities could result in full system access, remote code execution, read/change configuration, file system read access, log information access, and a denial-of-service condition.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Axeda agent: All version
  • Axeda Desktop Server for Windows: All versions

RISK:

Government:
Large and medium government entitiesHIGH
Small governmentMEDIUM
Businesses:
Large and medium business entitiesHIGH
Small business entitiesMEDIUM
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in PTC Axeda agent and Axeda Desktop Server, the most severe of which could allow for remote code execution. Details of these vulnerabilities are as follows:

  • The affected product uses hard-coded credentials for its UltraVNC installation which could allow for a unauthenticated remote attacker take control of the host operating system. (CVE-2022-25246)
  • The affected product may allow an attacker to send certain commands to a specific port without authentication which could allow a remote unauthenticated attacker to obtain full file-system access and remote code execution. (CVE-2022-25247)
  • When connecting to a certain port the affected product supplies the event log of the specific service. (CVE-2022-25248)
  • The affected product (disregarding Axeda agent v6.9.2 and v6.9.3) is vulnerable to directory traversal which could allow a remote unauthenticated attacker to obtain file system read access via web server. (CVE-2022-25249)
  • The affected product may allow an attacker to send a certain command to a specific port without authentication which could allow a remote unauthenticated attacker to shut down a specific service. (CVE-2022-25250)
  • The affected product may allow an attacker to send certain XML messages to a specific port without proper authentication which could allow a remote unauthenticated attacker to read and modify the product’s configuration. (CVE-2022-25251)
  • Improper handling of exceptions could allow a remote unauthenticated attacker to crash the product. (CVE-2022-25252)

Successful exploitation of these vulnerabilities could result in full system access, remote code execution, read/change configuration, file system read access, log information access, and a denial-of-service condition.

RECOMMENDATIONS:

  • Upgrade to Axeda agent Version 6.9.2 build 1049 or 6.9.3 build 1051 when running older versions of the Axeda agent.
  • Upgrade the Axeda Desktop Server (ADS) to Version 6.9 build 215
  • Check manufacturer websites for your affected products for updates, as this will completely mitigate the issue. Companies such as Bayer, Accuray, Eleka, General Electric, and Varian are affected.
    o List of affected devices using Axeda agent: https://learn.cisecurity.org/e/799323/access7-affected-devices-/rrnfl/270574381?h=r0NRBBMdNb9vDr8zjSwfQGGM1SlJNfCt4mFMssLYVwM
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Apply the Principle of Least Privilege to all systems and services

Get Email Updates When Cyber Threats Like This Arise

Subscribe to Advisories