BlackBerry has warned software developers and IoT product manufacturers using its QNX operating system that some versions of its development platform and OS have a vulnerability that has to be patched immediately.
QNX is a real-time embedded operating system used in a wide range of industrial systems including medical ventilators, medical robots, train controls, cars, and factory automation systems.
In an advisory issued Tuesday the company said an integer overflow vulnerability in the calloc() function of the C runtime library in QNX Software Development Platform (SDP) version 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1 and earlier could potentially allow a successful attacker to perform a denial of service or execute arbitrary code.
It also said the vulnerability doesn’t impact current or recent versions of the QNX RTOS, but rather versions dating from 2012 and earlier.
“All potentially affected customers have been notified,” the company said in a statement. “BlackBerry has made software patches available to resolve the matter. Additionally, BlackBerry is providing 24/7 support to customers as required. At this time no customers have indicated that they have been impacted.”
The full list of affected QNX products is available here.
The company added it isn’t aware of any exploitation of this vulnerability.
The vulnerability, CVE-2021-22156, has been given a Common Vulnerability Score of 9.
Systems that don’t have external interfaces are not affected, nor are systems running newer versions of QNX SDP, QNX OS for Medical and QNX for Safety.
In order to exploit this vulnerability, an attacker must have control over the parameters to a calloc() function call and the ability to control what memory is accessed after the allocation, BlackBerry says. To remotely exploit this vulnerability, an attacker would require network access and the devices would need to have a vulnerable service running and exposed.
This is the latest in a series of vulnerabilities, dubbed BadAlloc, that have been found in multiple real-time operating systems (RTOS) and supporting libraries from Amazon, ARM, Google, Texas Instruments and others. Microsoft outlined the problem in April.
According to Politico, BlackBerry has known about the problem for months and resisted pressure from U.S. cybersecurity officials to make a public announcement. The article says BlackBerry representatives told the U.S. Cybersecurity and Infrastructure Security Agency (CISA ) they didn’t believe BadAlloc had impacted their products, even though CISA had concluded that it did.
When asked for comment BlackBerry referred IT World Canada to its Tuesday statement.
QNX Software Development Platform, now in version 7, includes the 64-bit Neutrino real-time operating system and the Momentics Tool Suite. It meets a number of ISO safety standards for auto and industrial products.
QNX OS for Safety is designed specifically for safety-critical embedded systems in medical devices, industrial controls, aerospace control systems, automotive systems, power generation, robotics and rail transportation.
QNX OS for Medical is for the medical market. BlackBerry says seven of the top eight medical device manufacturers use QNX in their devices including those for blood diagnostics, ultrasound imaging, infusion delivery, heart monitoring, resuscitation, and robotics for surgery.
