Background /What has happened?
- The ACSC is tracking a vulnerability in BlackBerry QNX RTOS on Australian networks.
An integer overflow vulnerability exists in BlackBerry’s QNX products (including standard, medical and safety-certified versions). This vulnerability could allow remote code execution or denial-of-service attacks. This is a high-risk vulnerability, affecting QNX SDP 6.5 SP1 and below (shipped in products manufactured between 1996 to 2012) and QNX for safety manufactured until 2018.
Whether exploitation is possible depends on the presence of an external connection, and whether compensating controls otherwise protect the device. Impact is implementation specific. The ACSC recommends users take defensive measures such as those detailed in the Protecting Industrial Control Systems publication to minimize the risk of exploitation.
BlackBerry has released a list of affected products. It is difficult to know what downstream products use QNX as original equipment manufacturers (OEM) build and deploy QNX downstream. Since OEMs can modify the code, patches may be specific to OEM products, rather than simply a generic QNX patch.
Mitigation / How do I stay secure?
- Australian organisations should review their networks for use of vulnerable instances of BlackBerry QNX RTOS and implement the following mitigation advice.
- Apply available vendor updates.
- Manufacturers of products that incorporate vulnerable versions should contact BlackBerry or their direct reseller to obtain the patch code.
- Manufacturers of products who develop unique versions of RTOS software should contact BlackBerry to obtain the patch code but may need to develop and test their own software patches.
- End users should contact the manufacturer of their product to obtain a patch and apply the patch as soon as possible.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, apply the ACSC Industrial Control Systems Remote Access Protocol publication.
- Further advice for supply chain risk management can be found in the Cyber Supply Chain Risk Management Practitioner Guide publication.
Assistance/ where can I go for help?
The ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations that have been impacted or require assistance can contact the ACSC via 1300 CYBER1.