March 18, 2022
The US Food and Drug Administration (FDA) has issued a cybersecurity alert to medical device manufacturers regarding vulnerabilities that have been identified in the Axeda agent and Axeda Desktop Server. The FDA alert noted that all versions of Axeda agent and Axeda Desktop Server are affected. The agent and desktop server are owned and supported by computer software company PTC and are used in a number of medical devices across several medical device manufacturers.
The Axeda agent and Axeda Desktop Server are web-based technologies that allow one or more people to view the same remote desktop via the internet. The exploitation of the vulnerability could allow an unauthorized intruder to take full control of the host operating system, which could allow full system access, remote code execution, read/change configuration, file system read access, log information access and a denial-of-service condition. These vulnerabilities could cause changes to the operation of the medical device and affect the availability of remote support functions.
The Cybersecurity and Infrastructure Security Agency (CISA) published an advisory, ICSA-22-067-01, on those vulnerabilities March 15, 2022.
PTC recommends steps to mitigate vulnerabilities in Axeda agent/Axeda Desktop Server
The FDA published guidance from Axeda software developer PTC that includes steps to mitigate the software threats identified.
PTC recommends affected manufacturers take the following mitigation steps:
- Upgrade to agent Version 6.9.2 build 1049 or 6.9.3 build 1051 when running older versions of the Axeda agent.
- Configure Axeda agent and Axeda Desktop Server to only listen on the local host interface 127.0.0.1.
- Provide a unique password in the AxedaDesktop.ini file for each unit.
- Never use ERemoteServer in production.
- Make sure to delete ERemoteServer file from host device.
- Remove the installation file.
- When running in Windows or Linux, only allow connections to ERemoteServer from trusted hosts and block all others.
- When running the Windows operating system, configure Localhost communications (127.0.0.1) between ERemoteServer and Axeda Builder.
- Configure the Axeda agent for the authentication information required to log in to the Axeda Deployment Utility.
In addition, PTC recommends that affected medical device manufacturers upgrade the Axeda Desktop Server to Version 6.9 build 215. PTC also notes that the Axeda agent loopback-only configuration is only available in Version 6.9.1 and above. Consequently, PTC states, upgrading to Axeda agent 6.9.1 or above is required. Medical device manufacturers who have additional questions should reach out to PTC.