BlackBerry has disclosed that its QNX Real Time Operating System is affected by a BadAlloc vulnerability - CVE-2021-22156. QNX is the world’s most prevalent real time operating system.
Background /What has happened?
An integer overflow vulnerability exists in BlackBerry’s QNX products (including standard, medical and safety-certified versions). This vulnerability could allow remote code execution or denial-of-service attacks. This is a high-risk vulnerability, affecting QNX SDP 6.5 SP1 and below (shipped in products manufactured between 1996 to 2012) and QNX for safety manufactured until 2018.
Whether exploitation is possible depends on the presence of an external connection, and whether compensating controls otherwise protect the device. Impact is implementation specific. The ACSC recommends users take defensive measures such as those detailed in the Protecting Industrial Control Systems publication to minimize the risk of exploitation.
BlackBerry has released a list of affected products. It is difficult to know what downstream products use QNX as original equipment manufacturers (OEM) build and deploy QNX downstream. Since OEMs can modify the code, patches may be specific to OEM products, rather than simply a generic QNX patch.
View further information on this vulnerability.
The ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations that have been impacted or require assistance can contact the ACSC via 1300 CYBER1.