A major vulnerability affecting older versions of BlackBerry's QNX Real-Time Operating System (RTOS) could allow malicious actors to cripple and gain control of a variety of products, including cars, medical, and industrial equipment.
The shortcoming (CVE-2021-22156, CVSS score: 9.0) is part of a broader collection of flaws, collectively dubbed BadAlloc, that was originally disclosed by Microsoft in April 2021, which could open a backdoor into many of these devices, allowing attackers to commandeer them or disrupt their operations.
"A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a Tuesday bulletin. As of writing, there is no evidence of active exploitation of the vulnerability.
BlackBerry QNX technology is used worldwide by over 195 million vehicles and embedded systems across a wide range of industries, including aerospace and defense, automotive, commercial vehicles, heavy machinery, industrial controls, medical, rail, and robotics.
BlackBerry, in an independent advisory, characterized the issue as "an integer overflow vulnerability in the calloc() function of the C runtime library" affecting its QNX Software Development Platform (SDP) version 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1. Manufacturers of IoT and OT devices that incorporate affected QNX-based systems are advised to apply the following patches -
- QNX SDP 6.5.0 SP1 - Apply patch ID 4844 or update to QNX SDP 6.6.0 or later
- QNX OS for Safety 1.0 or 1.0.1 - Update to QNX OS for Safety 1.0.2, and
- QNX OS for Medical 1.0 or 1.1 - Apply patch ID 4846 to update to QNX OS for Medical 1.1.1
"Ensure that only ports and protocols used by the application using the RTOS are accessible, blocking all others," BlackBerry suggested as mitigations. "Follow network segmentation, vulnerability scanning, and intrusion detection best practices appropriate for use of the QNX product in your cybersecurity environment to prevent malicious or unauthorized access to vulnerable devices."
In a separate report, Politico revealed that BlackBerry resisted efforts to publicly announce the BadAlloc vulnerability in late April, citing people familiar with the matter, instead opting to privately contact its customers and warn them about the issue — an approach that could have put several device manufacturers at risk — only to backtrack after the company couldn't identify all of the vendors using its software.
"BlackBerry representatives told CISA earlier this year that they didn't believe BadAlloc had impacted their products, even though CISA had concluded that it did," the report said, adding "over the last few months, CISA pushed BlackBerry to accept the bad news, eventually getting them to acknowledge the vulnerability existed."