CISA Issues Warning About Blackberry’s QNX Vulnerability Affecting Critical Infrastructure
The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued a security alert warning about a vulnerability affecting Blackberry’s QNX Real Time Operating System (RTOS), which is extensively used by critical infrastructure organizations and affects multiple consumer, medical, and industrial networks.
The vulnerability is one of 25 that are collectively known as BadAlloc, which affect multiple IoT and OT systems. The flaws are memory allocation integer overflow or wraparound issues in memory allocation functions used in real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations.
On August 17, 2021, Blackberry announced that its QNX products were affected by one of the BadAlloc vulnerabilities – CVE-2021-22156. The flaw could be exploited by a remote attacker to cause a denial-of-service condition, or even achieve remote code execution, with the latter potentially allowing an attacker to take control of highly sensitive systems.
The flaw affects the calloc() function in the C runtime library of multiple BlackBerry QNX products. “To exploit this vulnerability, an attacker must have control over the parameters to a calloc() function call and the ability to control what memory is accessed after the allocation,” explained CISA. “An attacker with network access could remotely exploit this vulnerability if the vulnerable product is running and the affected device is exposed to the internet.”
The flaw affects all BlackBerry programs with dependency on the C runtime library, including medical devices that incorporate BlackBerry QNX software.
CISA is strongly encouraging all critical infrastructure organizations and other organizations that develop, maintain, support, or use the affected QNX-based systems to apply the patch as soon as possible to prevent exploitation of the flaw. CISA warns that the “installation of software updates for RTOS frequently may require taking the device out of service or to an off-site location for physical replacement of integrated memory.”
Vulnerable products and versions are:
|QNX SDP||6.5.0SP1, 6.5.0, 6.4.1, 6.4.0|
|QNX Momentics Development Suite||6.3.2|
|QNX Momentics||6.3.0SP3, 6.3.0SP2, 6.3.0SP1, 6.3.0, 6.2.1b, 6.2.1, 6.2.1A, 6.2.0|
|QNX Realtime Platform||6.1.0a, 6.1.0, 6.0.0a, 6.0.0|
|QNX Cross Development Kit||6.0.0, 6.1.0|
|QNX Development Kit (Self-hosted)||6.0.0, 6.1.0|
|QNX Neutrino RTOS Safe Kernel||1.0|
|QNX Neutrino RTOS Certified Plus||1.0|
|QNX Neutrino RTOS for Medical Devices||1.0, 1.1|
|QNX OS for Automotive Safety||1.0|
|QNX OS for Safety||1.0, 1.0.1|
|QNX Neutrino Secure Kernel||6.4.0, 6.5.0|
|QNX CAR Development Platform||2.0RR|
- Manufacturers of products that incorporate vulnerable versions should contact BlackBerry to obtain the patch.
- Manufacturers of products who develop unique versions of RTOS software should contact BlackBerry to obtain the patch code. Note: in some cases, manufacturers may need to develop and test their own software patches.
- End users of safety-critical systems should contact the manufacturer of their product to obtain a patch. If a patch is not available, users should apply the manufacturer’s recommended mitigation measures until the patch can be applied.
If it is not possible to apply the patch, or if a fix has not yet been released, CISA recommends ensuring only ports and protocols used by RTOS apps are accessible and all others are blocked.