On August 17, 2021, BlackBerry publicly disclosed that its QNX Real Time Operating System is affected by a BadAlloc vulnerability - CVE-2021-22156. QNX is the world’s most prevalent real time operating system. BadAlloc is a collection of vulnerabilities affecting multiple RTOS and supporting libraries used in a wide range of industries using Internet of Things (IoT), medical devices, and operational technology (OT)/industrial control systems (ICS) devices.
The ACSC suggest users identify where the BlackBerry QNX real time operating system is used in their systems. Individual work areas may need to be asked where they have safety critical systems, or where a real-time operating system would need to be deployed. When such systems are identified, they should be investigated to see if they are running QNX and the risk assessed. Some devices might have an ‘about page’ or software ‘information pages’ that detail the underlying real time operating system. Other devices might require reviewing the product specification sheet or a discussion with the vendor.
Whether exploitation is possible depends on the presence of an external connection, and whether compensating controls otherwise protect the device. Impact is implementation specific. The ACSC recommends users take defensive measures such as those detailed in the Protecting Industrial Control Systems publication to minimize the risk of exploitation. Specifically, users should:
- Apply available vendor updates.
- Manufacturers of products that incorporate vulnerable versions should contact BlackBerry or their direct reseller to obtain the patch code.
- Manufacturers of products who develop unique versions of RTOS software should contact BlackBerry to obtain the patch code but may need to develop and test their own software patches.
- End users should contact the manufacturer of their product to obtain a patch and apply the patch as soon as possible.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, apply the ACSC Industrial Control Systems Remote Access Protocol publication.
- Further advice for supply chain risk management can be found in the Cyber Supply Chain Risk Management Practitioner Guide publication.
An integer overflow vulnerability exists in BlackBerry’s QNX products (including standard, medical and safety-certified versions). This vulnerability could allow remote code execution or denial-of-service attacks. This is a high-risk vulnerability, affecting QNX SDP 6.5 SP1 and below (shipped in products manufactured between 1996 to 2012) and QNX for safety manufactured until 2018.
- Exploitability and impact is product dependent.
- Blackberry has been in contact with key manufactures to help with mitigations.
- BlackBerry has released an affected products list and has developed a tool to help manufactures identify affected products.
- It is difficult to know what downstream products use QNX as original equipment manufacturers (OEM) build and deploy QNX downstream.
- Since OEMs can modify the code, patches may be specific to OEM products, rather than simply a generic QNX patch.
There are no known exploitation of these vulnerabilities at this time.