A significant vulnerability affecting older variations of BlackBerry’s QNX Actual-Time Working System (RTOS) might enable malicious actors to cripple and achieve management of a wide range of merchandise, together with automobiles, medical, and industrial tools.
The shortcoming (CVE-2021-22156, CVSS rating: 9.0) is a part of a broader assortment of flaws, collectively dubbed BadAlloc, that was initially disclosed by Microsoft in April 2021, which might open a backdoor into many of those units, permitting attackers to commandeer them or disrupt their operations.
“A distant attacker might exploit CVE-2021-22156 to trigger a denial-of-service situation or execute arbitrary code on affected units,” the U.S. Cybersecurity and Infrastructure Safety Company (CISA) said in a Tuesday bulletin. As of writing, there isn’t any proof of energetic exploitation of the vulnerability.
BlackBerry QNX know-how is used worldwide by over 195 million autos and embedded techniques throughout a variety of industries, together with aerospace and protection, automotive, business autos, heavy equipment, industrial controls, medical, rail, and robotics.
BlackBerry, in an unbiased advisory, characterised the difficulty as “an integer overflow vulnerability within the calloc() perform of the C runtime library” affecting its QNX Software program Growth Platform (SDP) model 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Security 1.0.1. Producers of IoT and OT units that incorporate affected QNX-based techniques are suggested to use the next patches –
- QNX SDP 6.5.0 SP1 – Apply patch ID 4844 or replace to QNX SDP 6.6.0 or later
- QNX OS for Security 1.0 or 1.0.1 – Replace to QNX OS for Security 1.0.2, and
- QNX OS for Medical 1.0 or 1.1 – Apply patch ID 4846 to replace to QNX OS for Medical 1.1.1
“Make sure that solely ports and protocols utilized by the appliance utilizing the RTOS are accessible, blocking all others,” BlackBerry suggested as mitigations. “Comply with community segmentation, vulnerability scanning, and intrusion detection finest practices acceptable to be used of the QNX product in your cybersecurity surroundings to stop malicious or unauthorized entry to susceptible units.”
In a separate report, Politico revealed that BlackBerry resisted efforts to publicly announce the BadAlloc vulnerability in late April, citing folks accustomed to the matter, as a substitute deliberate to privately contact its clients and warn them in regards to the situation — an strategy that might have put a number of machine producers in danger, as the corporate could not establish the entire distributors utilizing its software program.
“BlackBerry representatives informed CISA earlier this yr that they did not consider BadAlloc had impacted their merchandise, regardless that CISA had concluded that it did,” the report stated, including “over the previous few months, CISA pushed BlackBerry to simply accept the dangerous information, finally getting them to acknowledge the vulnerability existed.”