A series of critical vulnerabilities known as BadAlloc, found in Blackberry QNX Real Time operating system (RTOS) and supporting libraries, could enable remote code execution, denial-of-service attacks, and other nefarious activities, according to a Department of Homeland Security Cybersecurity and Infrastructure Security Agency Alert.
Blackberry QNX is used across a range of critical infrastructure entities, including health care medical devices, industrial control systems, and automotives, among others.
Microsoft first shed light on the collection of 25 vulnerabilities known as BadAlloc earlier this year, which exist in multiple RTOSs and supporting libraries. The critical memory allocation flaws are in the standard memory allocation functions used in a wide range of RTOS, embedded software development kits (SDKs), and C standard library (libc) implementations.
At the time, the tech giant warned that exploits could enable adversaries to bypass security controls to perform a range of nefarious activities. Interestingly, these flaws were disclosed to CISA in April with an initial alert published on May 24.
Politico recently detailed disagreements between BlackBerry and the federal government, which left the QNX flaws off the initial alert. Reportedly, BlackBerry initially denied its products were affected, and if they were, the vendor didn’t know how many entities were using the platform.
The latest CISA alert confirms CVE-2021-22156 is part of the BadAlloc integer overflow vulnerabilities found in IoT, operational tech, and ICS. The flaw “is an integer overflow vulnerability affecting the calloc() function in the C runtime library of multiple BlackBerry QNX products.”
All BlackBerry programs that depend on the C runtime library are impacted by the flaw, including BlackBerry QNX Software Development Platform (SDP) version 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1 earlier, and several others.
An attacker with network access could remotely exploit the flaw, if the victim is operating a vulnerable product exposed to the internet. However, the actor must have control over the calloc() parameters’ function call and be able to control access to memory after the allocation to exploit the flaw.
A successful exploit could allow the actor to create a denial-of-service condition or launch arbitrary code on the affected device, which would also give them control of the device and connected systems. CISA warned the action could impact critical functions of victims and overall U.S. infrastructure. So far, no active exploits have been spotted in the wild.
“Because many affected devices include safety-critical devices, exploitation of this vulnerability could result in a malicious actor gaining control of sensitive systems, possibly leading to increased risk of damage to infrastructure or critical functions,” according to the alert.
Given the severity of the risk, CISA is urging all critical infrastructure organizations and entities developing, maintaining, using, or supporting QNX-supported systems to apply the patch to impacted products as soon as possible.
CISA recommends manufacturers of products that contain vulnerable QNX versions and vendors that develop unique versions of RTOS software to contact BlackBerry directly to access the software update.
End users, such as enterprise administrators, should also contact BlackBerry to determine whether there’s an available patch for the vulnerabilities. Entities unable to patch must apply recommended mitigation steps to prevent an exploit.
BlackBerry urged all admins “to ensure that only ports and protocols used by the application using the RTOS are accessible, blocking all others.”
Organizations should also review network segmentation, vulnerability scanning, and intrusion detection to ensure best practice standards are implemented and appropriate for using the vulnerable QNX product within the environment to avoid unauthorized access or further exploit of vulnerable devices.
“Customers will reduce the possibility of exploitation by enabling the capability for ASLR to randomize process segment addresses,” BlackBerry officials explained. “To enable ASLR, use the -mr option with procnto. Customers who are able to enable ASLR should do so.”
BlackBerry further stressed that to reduce the risk, integrators with systems based on affected QNX products will need to review systems to ensure they can only connect to trusted, isolated networks, avoid exposure from unnecessary interfaces, and locate system networks and remote devices behind firewalls, isolating them from the enterprise network.
There are no workarounds available for the flaw, which means all organizations must apply the patch or mitigation steps to reduce the risk to the enterprise.
In health care, device patching and other IoT mitigations are not always that straightforward. Incomplete device inventories and a lack of transparency on device components mean that most covered entities may not be aware that a device is operating with known flaws.
“We can’t patch everything. We don't have any ability to monitor and say, ‘all of this stuff needs to be patched’ to reduce the risk we have,” Samantha Jacques, vice president of clinical engineering at McLaren Health Care, previously explained during Defcon. “We just end up balancing the risk the best we can.”
As such, health care entities should review the BlackBerry and CISA alerts to determine whether they are using products that rely on the vulnerable platform and the best steps for mitigating the risk.
