Blackberry operating system vulnerability affects millions of cars and medical devices

Published 8/25/21 9:00AM

An integer overflow vulnerability dubbed ‘BadAlloc’ (CVE-2021-22156) affecting older versions of Blackberry’s QNX Real-Time Operating System (RTOS) and supporting libraries could cause denial-of-service attacks or the execution of arbitrary code on affected devices. The Blackberry QNX system is used in an extremely large variety of devices, including medical, automotive, commercial vehicles, heavy machinery, rail, industrial controls, aerospace and defense, and robotics. Compromised devices could enable a threat actor to gain access to highly sensitive systems, including those associated with United States infrastructure. 

To exploit the vulnerability, threat actors would need to control the parameters to a “calloc( )” function call, and the ability to control any memory accessed after the allocation. Should an attacker have network access, they could remotely exploit the vulnerability if the vulnerability were active and exposed on the internet.

The Cybersecurity and Infrastructure Security Agency (CISA) is advising the following critical infrastructure organizations review the appropriate security advisories and take action accordingly:

• U.S. Coast Guard 
• U.S. Nuclear Regulatory Commission 
• JointWater ISAC

Next Steps

While security professionals are not currently aware of any active exploitation associated with this vulnerability, users of the Blackberry QNX RTOS are advised to immediately patch affected products.

• Product manufacturers that use vulnerable versions of the Blackberry QNX RTOS as well as manufacturers that develop unique versions of the RTOS software should contact Blackberry to obtain the patch code.
• End users of safety-critical systems should contact the manufacturer of their system to obtain a patch and apply the patch immediately. If a patch is not available, users are urged to apply the manufacturer’s recommended mitigation steps until the patch can be installed.