The Axeda Vulnerability and Lessons Learned

In March, a vulnerability that impacts Parametric Technology Corporation’s (PTC) Axeda agent and Axeda Desktop Server was announced. The Cybersecurity and Infrastructure Security Agency (CISA) issued advisory ICSA-22-068-01 stating that the vulnerability is exploitable remotely with a low attack complexity… a particularly bad combination. This event serves as an apt moment to reflect on the underlying security deficiencies and what we can learn from them.

What is Axeda and what is the scope of the vulnerability?

Axeda is remote access software typically used in IoT environments. According to Forescout, 54% of Axeda’s userbase are healthcare organizations and the Axeda agent is frequently baked into healthcare devices. The agents are typically used for remote diagnostics.

According to CISA’s 3/31/2022 vulnerability update (update C), since the vulnerability was first announced, the scope of the problem has significantly expanded. Some of the biggest names in healthcare systems are affected by the Axeda vulnerability.

Known as “Access:7”, seven common vulnerabilities and exposures (CVEs) were identified, the most severe of which allows remote code execution (RCE), information disclosure, and denial-of-service (DoS) attacks. The known list of affected devices is significant, and it impacts over one hundred medical device vendors and thousands of their customers.

What can we learn from these Axeda CVEs?

Let’s explore two of the key CVEs in a bit more detail.

1) CVE-2022-25246 calls out the use of hardcoded credentials in its UltraVNC installation. This vulnerability has a severity score of 9.8 and introduces the possibility of RCE in the environment. I think we can all agree that hardcoded credentials are a poor security practice. However, it’s all too common both in “image-driven” installations and in environments where convenience supersedes security concerns.

2) CVE-2022-25247 could allow file system access or RCE on a target system if an attacker “sends certain commands to a specific port without authentication” (https://www.cisa.gov/uscert/ics/advisories/icsa-22-067-01). In addition to the 9.8 severity score, a few other parts of this CVE present immediate red flags.

One way to attain both security and convenience is to use a password vault. The BeyondTrust Password Safe solution allows password and session management (through a variety of protocol/connectivity options) and the convenience and security of injected and rotated passwords. When a password is injected into a session, a) the technician (be they internal or a vendor) doesn’t have to know the password, and b) the credential that was used is rotated. Couple this with an audit log, and there you have it, convenience and security. The usefulness of this functionality extends across the entirety of an organization

With BeyondTrust Privileged Remote Access (PRA), a Jumpoint can be set up in remote networks where all that’s required is outbound connectivity from the Jumpoint to the internet. Anyone who’s authorized to connect to remote devices through that Jumpoint must authenticate (via LDAP, RADIUS, Kerberos or SAML), and have appropriate permissions to create protocol tunnels. These permissions also control what ports this traffic can be sent over. Shadowing of these sessions is possible in real-time, and there’s an audit log of the full session to review what occurred (both via text and video).

Modern environments require modern solutions

Here are three areas to modernize your IoT/SCADA environments and improve security:

1. Secure connectivity - Never open ports inbound to endpoints. Alternatively, if ports are open, ensure only a designated bastion host can connect with these devices. An example of this is a BeyondTrust Jumpoint. The Jumpoint (which can be installed on a Windows or Linux host) connects outbound, over port 443, to the BeyondTrust appliance (be it cloud or on-premises) using a TLS 1.3 encrypted tunnel. This type of secure connectivity represents a best practice as it does not leave open the device, nor does it allow leapfrogging from device to device within the network.

2. Identities - Local usernames/passwords and even static Active Directory accounts are no longer sufficient in today’s dynamic environment (if they ever were). BeyondTrust Password Safe allows organizations to define roles, assign access rights, greatly reduce standing privileges, and utilize credentials (both injection and check out/check in) in a way that maximizes security. Additionally, logs are generated when secure access connections occur and anytime a credential is used in the system. This ensures that, not only do you, as an organization, know what is happening, but also that these logs will make security audits much simpler.

3. Logging - Speaking of logging, the BeyondTrust PRA solution allows full video to be captured of remote sessions. This applies to both an organization’s internal sessions as well as those conducted by third parties (vendors, contractors, outsourcers, etc.). The video capture corresponds to a time stamped text log that shows all activity that occurs during the session. These logs can be standalone, or they can be integrated into systems like ServiceNow for a fuller picture of what happened during a change or incident ticket

Please reach out to sales@beyondtrust.com if you would like to chat about use cases or see a demo of anything discussed in this post.