Updated: 23 March 2022
Products Covered: Spacelabs Patient Monitoring Products

Security Advisory

Axeda “Access:7” Vulnerability Assessment and Potential Product Impact Statement

  1. Vulnerability Overview

Spacelabs Healthcare has been made aware of recently published security vulnerabilities within Axeda support software collectively known as “Access:7”. Exploitation of these vulnerabilities could result in full system access, remote code execution, read/change configuration, file system read access, log information access, or a denial-of-service condition for affected products using Axeda agent or Axeda Desktop Server.

The Axeda agent and Axeda Desktop Server are remote access solutions that allow one or more people to securely view and operate the same remote desktop, typically through the Internet. The Axeda agent and Desktop Server are developed and supported by the computer software company, PTC.

  1. Risk Assessment Summary

Successful exploitation of this vulnerability could allow an unauthorized attacker to take full control of the host operating system, resulting in full system access, remote code execution, read/change configuration, file system read access, log information access, and a denial-of-service condition. Depending on its use in the medical device, these vulnerabilities could result in changes to the operation of the medical device and impact the availability of the remote support functionality.

Spacelabs is investigating the Patient Monitoring and Connectivity (PMC) Xhibit and ICS.

As Spacelabs continue to gain a deeper understanding of the impact of this vulnerability, we will continue to publish technical information to help customers detect, investigate, and mitigate the vulnerability across all our products where applicable.

  1. Recommendations

Spacelabs is reviewing the PTC recommendations.

  1. Examination of Spacelabs products

 4.1 Assessment of Spacelabs Products

In response to the publication of these vulnerabilities, Spacelabs has conducted an assessment to identify devices potentially at risk to this set of vulnerabilities. Please note information is subject to change as the situation evolves.

Patient Monitoring and Connectivity (PMC) Products

Product Host Operating System Impact Assessment
XprezzNet 96190 Windows Server 2008
Windows Server 2012 R2
Windows Server 2016
Not impacted.
Intesys Clinical Suite (ICS) Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Under investigation.
Intesys Clinical Suite (ICS) Clinical Access Workstations Windows 8.1
Windows 10
Not impacted.
Xhibit Telemetry Receiver (XTR) 96280 Windows Embedded Standard 7 SP1

Windows 10 IoT Enterprise Version 1809

Not impacted.
Xhibit 96102 / XC4 96501 Windows Embedded Standard 7 SP1

Windows 10 IoT Enterprise Version 1809

Under investigation.
Bedside Monitors
– Xprezzon 91393
– Qube 91390
– Qube Mini 91389
– Ultraview SL  91367, 91369, 91370, and 91387
VxWorks 6.6 Not impacted.
DM3, DM4 monitors Windows CE Not impacted.

Diagnostic Cardiology (DC) Products

Product Host Operating System Impact Assessment
Sentinel Windows 7
Windows 10
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Not impacted.
Pathfinder SL Windows 7

Windows 10

Not impacted.
Lifescreen Pro Windows 10 Not impacted
Lifecard CF No OS Not impacted.
EVO No OS Not impacted.
Eclipse Pro No OS Not impacted.
CardioExpress SL6A  / SL12A Embedded OS (uC/OS II V2.84) Not impacted.
CardioExpress SL18A Embedded OS (Linux Kernel 2.6.35.3) Not impacted.
ABP
OnTrak
90217A
90207
No OS Not impacted.

Safe-N-Sound (SNS)

Product Host Operating System Impact Assessment
Spacelabs Cloud Varies Not impacted.
SafeNSound Not applicable Not impacted.
  1. Additional Resources

 

# Resource URL
1 PTC Article CS363561. Security vulnerabilities identified in the Axeda agent and Axeda Desktop Server https://www.ptc.com/en/support/article/CS363561
2 CISA ICS Advisory on “Access:7” Vulnerabilities https://www.cisa.gov/uscert/ics/advisories/icsa-22-067-01
3 FDA Cybersecurity Alert on PTC Axeda Agent and Axeda Server https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity

Terms of Use

The information presented above is subject to change without notice. In no event will Spacelabs or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, even if Spacelabs or its suppliers have been advised of the possibility of such damages.

Related Resources:

  • CVE-2022-25249
  • CVE-2022-25250
  • CVE-2022-25251
  • CVE-2022-25246
  • CVE-2022-25248
  • CVE-2022-25247
  • CVE-2022-25252