ATMs, Medical and IoT Devices get affected by Supply Chain vulnerabilities


By MYBRANDBOOK


ATMs, Medical and IoT Devices get affected by Supply Chain vulnerabilities

Seven security vulnerabilities have been disclosed in PTC's Axeda software that could be weaponized to gain unauthorized access to medical and IoT devices.

 

Collectively called "Access:7," the weaknesses – three of which are rated Critical in severity – potentially affect more than 150 device models spanning over 100 different manufacturers, posing a significant supply chain risk.

 

Besides medical imaging and laboratory machines, vulnerable devices include everything from ATMs, vending machines, cash management systems, and label printers to barcode scanning systems, SCADA systems, asset monitoring and tracking solutions, IoT gateways, and industrial cutters.

 

Of the 100 impacted device vendors, 55% belong to the healthcare sector, followed by IoT (24%), IT (8%), financial services (5%), and manufacturing (4%) industries. No less than 54% of the customers with devices running Axeda have been identified in the healthcare sector.

 

The flaws, which affect all versions of the Axeda Agent prior to 6.9.3, were reported as part of a coordinated disclosure process that involved the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Health Information Sharing and Analysis Center (H-ISAC), and the Food and Drug Administration (FDA).

 

Listed below are the seven flaws discovered:

· CVE-2022-25246 – The use of hard-coded credentials in the AxedaDesktopServer.exe service that could enable remote takeover of a device

· CVE-2022-25247 – A flaw in ERemoteServer.exe that could be leveraged to send specially crafted commands to obtain Remote code execution (RCE) and full file system access

· CVE-2022-25251 – Missing authentication in the Axeda xGate.exe agent that could be used to modify the agent's configuration

· CVE-2022-25249 – A directory traversal flaw in the Axeda xGate.exe agent which could allow a remote unauthenticated attacker to obtain file system read access on the web server

· CVE-2022-25250 – A denial-of-service (DoS) flaw in the Axeda xGate.exe agent by injecting an undocumented command

· CVE-2022-25252 – A buffer overflow vulnerability in the Axeda xBase39.dll component that could result in a DoS

· CVE-2022-25248 – An information disclosure flaw in the ERemoteServer.exe service that exposes the live event text log to unauthenticated parties

 E-Magazine 
 VIDEOS  Placeholder image

Copyright www.mybrandbook.co.in @1999-2024 - All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission of Kalinga Digital Media Pvt. Ltd. is prohibited.
Other Initiatives : www.varindia.com | www.spoindia.org