CISA Gives an Alert About Blackberry’s QNX Vulnerability Impacting Critical Infrastructure

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has released a security advisory concerning a vulnerability impacting Blackberry’s QNX Real-Time Operating System (RTOS), which is widely utilized by critical infrastructure companies and impacts several consumers, health, and manufacturing systems.

The vulnerability is included in the 25 vulnerabilities that are collectively called BadAlloc, which impact several IoT and OT systems. The vulnerabilities are memory allocation integer overflow or wraparound problems in memory allocation features utilized in embedded software development kits (SDKs), real-time operating systems (RTOS), and C standard library (libc) applications.

On August 17, 2021, Blackberry reported that CVE-2021-22156, one of the BadAlloc vulnerabilities, affected its QNX products. A remote attacker could exploit the vulnerability and cause a denial-of-service issue, or possibly get remote code execution, with the second effect possibly enabling an attacker to seize control of very sensitive systems.

The vulnerability impacts the C runtime library’s calloc() function in several BlackBerry QNX merchandise. According to CISA, an attacker could exploit this vulnerability if he/she has command over the variables to a calloc() function call and the capability to regulate what memory is utilized following the allocation. An attacker that has network access can remotely exploit this vulnerability when the vulnerable item is operating and the impacted device is accessible online.

The vulnerability impacts all BlackBerry applications which depend on the C runtime library, such as medical equipment that integrate BlackBerry QNX software program.

CISA is strongly urging all critical infrastructure companies and other businesses that create, sustain, support, or utilize the impacted QNX-based systems to implement the patch immediately to avoid exploitation of the vulnerability. CISA states that installing software upgrades for RTOS often may call for getting the device to support or to an off-site place for physical substitution of integrated memory.

The following lists the vulnerable products and versions of Blackberry’s QNX Real-Time Operating System (RTOS):

  • Model QNX SDP version 6.5.0SP1, 6.5.0, 6.4.1, 6.4.0
  • Model QNX Momentics version 6.3.0SP3, 6.3.0SP2, 6.3.0SP1, 6.3.0, 6.2.1b, 6.2.1, 6.2.1A, 6.2.0
  • Model QNX Momentics Development Suite version 6.3.2
  • Model QNX Realtime Platform version 6.1.0a, 6.1.0, 6.0.0a, 6.0.0
  • Model QNX Development Kit (Self-hosted) version 6.0.0, 6.1.0
  • Model QNX Cross Development Kit version 6.0.0, 6.1.0
  • Model QNX Neutrino RTOS Safe Kernel version 1.0
  • Model QNX Neutrino RTOS for Medical Devices version 1.0, 1.1
  • Model QNX Neutrino RTOS Certified Plus version 1.0
  • Model QNX CAR Development Platform version 2.0RR
  • Model QNX OS for Automotive Safety version 1.0
  • Model QNX OS for Safety version 1.0, 1.0.1
  • Model QNX Neutrino Secure Kernel version 6.4.0, 6.5.0

CISA recommends the following mitigations:

  • Makers of products that integrate vulnerable versions ought to get in touch with BlackBerry to get the patch.
  • Makers of products who create unique RTOS software versions must get in touch with BlackBerry to get the patch code. Take note: in certain cases, manufacturers might have to create and test the software patches on their own.
  • End-users of safety-critical systems ought to get in touch with the maker of their product to get a patch. In case there is no patch available, users must use the manufacturer’s suggested mitigation steps until there is a patch available.
  • In case it isn’t possible to use the patch, or the patch is not yet available, CISA suggests making sure that only ports and protocols utilized by RTOS apps can be accessed while others are blocked.