A major flaw in the QNX Real-Time operating system could allow attackers to take control of various products, such as cars and medical equipment. The number of affected devices counts in millions.
A flaw in BadAlloc, which was first disclosed in April 2021, could allow an attacker to remotely control or take over a wide range of devices, such as mobile platforms and gaming consoles.
“A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a Tuesday bulletin.
So far, there is no evidence that the vulnerability has been exploited in the wild.
BlackBerry QNX is a technology that is used in more than 195 million vehicles globally. It is used in various industries, such as aerospace and defense, medical equipment, robotics, and industrial controls.
BlackBerry explained that the issue ss “an integer overflow vulnerability in the calloc() function of the C runtime library.” It affects its QNX Software Development Platform (SDP) version 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1.
Manufacturers that incorporate affected QNX-based systems in their IoT and OT devices are urged to apply the already available patches:
- QNX SDP 6.5.0 SP1 – Apply patch ID 4844 or update to QNX SDP 6.6.0 or later
- QNX OS for Safety 1.0 or 1.0.1 – Update to QNX OS for Safety 1.0.2, and
- QNX OS for Medical 1.0 or 1.1 – Apply patch ID 4846 to update to QNX OS for Medical 1.1.1
In order to prevent exploitation, BlackBerry said that only ports and protocols used by the application using the RTOS should be accessible. The company also advised following network segmentation, vulnerability scanning, and intrusion detection best practices to secure QNX devices.
In a separate report, Politico stated that BlackBerry did not want to publicly announce the Badalloc vulnerability back in April when it was revealed. Instead of pushing out a public warning, the company planned to reach out to its customers privately.
“BlackBerry representatives told CISA earlier this year that they didn’t believe BadAlloc had impacted their products, even though CISA had concluded that it did,” the report said, adding “over the last few months, CISA pushed BlackBerry to accept the bad news, eventually getting them to acknowledge the vulnerability existed.”