CISA recently alerted that IoT and OT security errors known as BadAlloc harms BlackBerry’s QNX Real-Time Operating Systems (RTOS) utilized by sensitive frameworks organizations.
BadAlloc is a collection of 25 vulnerabilities that are harmed by memory allocation Integer Overflow or Wraparound flaws. They were discovered by Microsoft investigators in standard library (libc) implementations, and embedded software development kits (SDKs).
Vulnerable IoT and OT devices directly affected by the BadAlloc errors can be discovered on a wide assortment of consumer, medical, and industrial networks.
The Sensitive Frameworks Systems of BlackBerry QNX
BlackBerry QNX’s tech is utilized across the world by over 195 million vehicles and embedded systems across a wide range of industries, consisting of aerospace and defense, heavy machinery, rail, robotics, industrial controls, automotive, commercial vehicles, and medical.
Remote attackers could exploit devices running on older versions of BlackBerry QNX products unpatched against BadAlloc to trigger denial-of-service conditions or run arbitrary code on vulnerable QNX-based systems.
“BlackBerry QNX RTOS is used in a wide range of products whose compromise could result in a malicious actor gaining control of highly sensitive systems, increasing risk to the Nation’s critical functions,” CISA warned.
“CISA highly strengthen sensitive framework association and various organizations developing, handling, supporting, or using affected QNX-based systems, to patch affected products as quickly as possible.”
The US Food and Drug Administration (FDA) also issued a separate warning today alerting patients, health care providers, and manufacturers about the increased risk introduced by these vulnerabilities for medical devices incorporating vulnerable BlackBerry QNX software.
At the moment, the FDA, CISA, and BlackBerry are not aware of any exploitation of this vulnerability in the wild.
What are the Mitigations Instructions?
The warnings come after BlackBerry revealed earlier today that BadAlloc (tracked as CVE-2021-22156) also harms QNX Software Development Platform (SDP), QNX OS for Medical, and QNX OS for Safety. The organization also suggests all the impacted QNX SDP, QNX OS for Safety, and QNX OS for Medical customers to update their QNX products as soon as possible using the following links (access to downloads requires a myQNX account):
- 6.5.0SP1 https://www.qnx.com/download/feature.html?programid=59649
- QNX OS for Safety 1.0.2 https://www.qnx.com/download/group.html?programid=27165
- QNX OS for Medical 1.1.1 https://www.qnx.com/download/group.html?programid=26463
In case updating to a fixed release is not possible urgently, BlackBerry suggests ensuring that only ports and protocols used by RTOS apps are accessible, blocking all others, to mitigate the vulnerabilities.
Customers are also suggested to bypass revealing network ports unnecessarily, secure networks devices using firewalls, and separate them from business networks. CISA urged sensitive frameworks organizations developing, handling, supporting, or using affected QNX-based systems to patch them ASAP.
The federal agency provides mitigation advice for potentially affected entities:
- Producers of that products also incorporate vulnerable versions should contact BlackBerry to obtain the patch. Producers of products who develop different versions of RTOS software should contact BlackBerry to obtain the patch code.
- Note: in some cases, manufacturers may need to develop and test their software patches.
- End-users of safety-critical systems should contact the manufacturer of their product to obtain a patch. If a patch is available, users should apply the patch as soon as possible. If a patch is not available, users should apply the manufacturer’s recommended mitigation measures until the patch can be applied.
