BlackBerry QNX RTO BadAlloc Vulnerability
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning of a vulnerability affecting BlackBerry’s QNX Real Time Operating System (RTOS). The issue is due to an integer overflow in the C Runtime Library and is one of the vulnerabilities in a group of flaws known as BadAlloc.
Assessing the impact of this vulnerability is very difficult. BlackBerry QNX is used in various devices: medical, industrial, automotive and more. The vulnerability is only exploitable if it is exposed via software running on a BlackBerry QNX device. This software is likely not part of BlackBerry QNX but created for a particular device. First try to get a handle on which devices actually use BlackBerry QNX in your environment, or if you use it in any products. The safe option is to patch regardless of exposure. Finally, any devices like this should always be segregated as much as possible.
The wide variety of embedded systems with QNX means updates are not going to be available at a specific point in time. Make sure only authorized connections are allowed, and apply the updates when available. Monitor for malfeasance or other signs of tampering.
Read more in
The Register: BadAlloc: Microsoft looked at memory allocation code in tons of devices and found this one common security flaw (April 29, 2021)
Health IT Security: CISA Says BlackBerry Vulnerability to Impact Medical Device Security