'BadAlloc' Vuln Affects Devices Using Older BlackBerry QNX Products'BadAlloc' Vuln Affects Devices Using Older BlackBerry QNX Products
CISA warns organizations with devices running affected QNX-based systems to "immediately apply mitigations" to protect them.
August 17, 2021
BlackBerry has disclosed its QNX Real Time Operating System (RTOS) is affected by BadAlloc vulnerability CVE-2021-22156, which if exploited could allow an attacker to perform a denial-of-service or execute malicious code on target devices, the Cybersecurity and Infrastructure Security Agency (CISA) says in an advisory.
BadAlloc is a series of critical memory allocation vulnerabilities affecting Internet of Things and operational technology devices that Microsoft disclosed earlier this year. At the time, CISA published a list of vendors affected by the vulnerability; now BlackBerry products are on its list.
BlackBerry, long known for making smartphones, has in recent years become a provider of software for industrial machinery. Its BlackBerry QNX is used in embedded systems across a range of industries, including automotive, medical devices, heavy machinery, commercial vehicles, industrial controls, aerospace and defense, robotics, and rail systems.
In an advisory published today, BlackBerry says the vulnerability exists in the calloc() function of the C runtime library in affected versions of the BlackBerry QNX software development platform (SDP) version 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1 and earlier.
To exploit the vulnerability, an attacker must have control over the parameters to a calloc() function call, as well as the ability to control what memory is accessed after the allocation. They would also need network access, and, to be successful, the target devices would need to have a vulnerable service running and exposed.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
What Ransomware Groups Look for in Enterprise Victims
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
Everything You Need to Know About DNS Attacks
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks