Access:7 - Supply Chain Flaws Impacting IoT and Medical Devices

Diving into details

• Three of the security flaws have been rated critical, with a score of at least 9.4. They could be abused for RCE on devices running an outdated Axeda agent version.
• While Axeda has been phased out to be replaced with ThingWorx, the former is still in use in several sectors on 2,000 unique devices.

Why this matters

• In the case of medical devices, even less critical vulnerabilities can have a substantial impact. 
• An attacker gaining read access by abusing CVE-2022-25249 could exfiltrate PHI or diagnostics and sell it on a profit.
• Exploiting CVE-2022-25250 could shut down the platform, rendering remote service impossible.  
• Exploiting CVE-2022-25246 could enable the attacker to leverage the VNC connection to modify medical information. Furthermore, they can leverage this to insert malicious code to gain persistence on the network.

Possible attack vectors 

• The facilities are accessible to the public, with various network sockets and connected devices with physical access. With inadequate segmentation, adversaries can access the internal operational network via a guest WiFi network. 
• The medical staff can be lured to give up initial access by phishing through easily obtainable email addresses.
• IT systems can have bugs that lead adversaries to operational networks. They can access the internal network in places with insufficient segmentation with a sharing system or internet portal.

The bottom line