On Tuesday, BlackBerry released an advisory explaining that its QNX Real Time Operating System — which is used in medical devices, cars, factories and even the International Space Station — can be affected by BadAlloc, which is a collection of vulnerabilities affecting multiple RTOSs and supporting libraries. BlackBerry recently boasted that the QNX Real Time Operating System is used in 200 million cars.
CISA added that IoT devices, operational technology and some industrial control systems have incorporated QNX Real Time Operating System, making it urgent for measures to be taken to protect systems. BlackBerry released a full list of the affected products.
“A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices. BlackBerry QNX RTOS is used in a wide range of products whose compromise could result in a malicious actor gaining control of highly sensitive systems, increasing risk to the Nation’s critical functions,” CISA’s alert said.
“At this time, CISA is not aware of active exploitation of this vulnerability. CISA strongly encourages critical infrastructure organizations and other organization developing, maintaining, supporting, or using affected QNX-based systems, to patch affected products as quickly as possible.”
The alert goes on to explain that the vulnerability involves an “integer overflow vulnerability affecting the calloc() function in the C runtime library of multiple BlackBerry QNX products.”
For threat actors to take advantage of the vulnerability, they need to already have “control over the parameters to a calloc() function call and the ability to control what memory is accessed after the allocation.”
Network access would allow an attacker to remotely exploit this vulnerability if the vulnerable product is running and the affected device is exposed to the internet, CISA added.
The vulnerability affects every BlackBerry program with a dependency on the C runtime library.
CISA warned that since many of the devices affected by the vulnerability are “safety-critical,” the potential for exploitation could risk giving cyberattackers control of systems that manage infrastructure or other critical platforms.
“CISA strongly encourages critical infrastructure organizations and other organizations developing, maintaining, supporting, or using affected QNX-based systems to patch affected products as quickly as possible,” the alert said.
“Manufacturers of products that incorporate vulnerable versions should contact BlackBerry to obtain the patch. Manufacturers of products who develop unique versions of RTOS software should contact BlackBerry to obtain the patch code,” CISA explained, adding that some organizations may have to create their own software patches.
Some software updates for RTOS require removing devices or taking them to an off-site location for physical replacement of integrated memory, according to CISA.
BlackBerry said in its own release that they had not yet seen the vulnerability used. The company suggested users of the product ensure that “only ports and protocols used by the application using the RTOS are accessible, blocking all others.”
“Follow network segmentation, vulnerability scanning, and intrusion detection best practices appropriate for use of the QNX product in your cybersecurity environment to prevent malicious or unauthorized access to vulnerable devices,” BlackBerry’s notice said.
There are no workarounds for the vulnerability, according to BlackBerry, but they noted that users can reduce the possibility of an attack “by enabling the capability for ASLR to randomize process segment addresses.”
The notice includes a number of updates BlackBerry has released to address the vulnerability. Microsoft said in April that BadAlloc covers more than 25 CVEs and potentially affects a wide range of domains, from consumer and medical IoT to Industrial IoT.
BlackBerry allegedly denied that the vulnerability affected their products and resisted government attempts to release public notices about the problem. BlackBerry didn’t even know how many organizations were using the QNX Real Time Operating System when asked by government officials, forcing them to go along with government efforts to publicize the vulnerability.
CISA officials coordinated with affected industries and even the Defense Department on the security notice about the QNX system, according to Politico, which noted that CISA will also brief foreign officials on the vulnerability as well.
BlackBerry said in June that the QNX royalty revenue backlog has increased to $490 million at the end of its first quarter of fiscal year 2022. The company boasted that it is used in millions of cars made by Aptiv, BMW, Bosch, Ford, GM, Honda, Mercedes-Benz, Toyota and Volkswagen.