2021-08-19
BlackBerry QNX RTO BadAlloc Vulnerability
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning of a vulnerability affecting BlackBerry’s QNX Real Time Operating System (RTOS). The issue is due to an integer overflow in the C Runtime Library and is one of the vulnerabilities in a group of flaws known as BadAlloc.
Editor's Note
Assessing the impact of this vulnerability is very difficult. BlackBerry QNX is used in various devices: medical, industrial, automotive and more. The vulnerability is only exploitable if it is exposed via software running on a BlackBerry QNX device. This software is likely not part of BlackBerry QNX but created for a particular device. First try to get a handle on which devices actually use BlackBerry QNX in your environment, or if you use it in any products. The safe option is to patch regardless of exposure. Finally, any devices like this should always be segregated as much as possible.

Johannes Ullrich
The wide variety of embedded systems with QNX means updates are not going to be available at a specific point in time. Make sure only authorized connections are allowed, and apply the updates when available. Monitor for malfeasance or other signs of tampering.

Lee Neely
Read more in
CISA: BadAlloc Vulnerability Affecting BlackBerry QNX RTOS
The Register: After reportedly dragging its feet, BlackBerry admits, yes, QNX in cars, equipment suffers from BadAlloc bug
The Register: BadAlloc: Microsoft looked at memory allocation code in tons of devices and found this one common security flaw (April 29, 2021)
SC Magazine: ‘BadAlloc’ flaws in Blackberry QNX RTOS impacts health care, critical infrastructure
ZDNet: CISA releases alert on BadAlloc vulnerability in BlackBerry products
ZDNet: Patch released for Fortinet command injection vulnerability
Health IT Security: CISA Says BlackBerry Vulnerability to Impact Medical Device Security