'BadAlloc' Vuln Affects Devices Using Older BlackBerry QNX Products
CISA warns organizations with devices running affected QNX-based systems to "immediately apply mitigations" to protect them.
BlackBerry has disclosed its QNX Real Time Operating System (RTOS) is affected by BadAlloc vulnerability CVE-2021-22156, which if exploited could allow an attacker to perform a denial-of-service or execute malicious code on target devices, the Cybersecurity and Infrastructure Security Agency (CISA) says in an advisory.
BadAlloc is a series of critical memory allocation vulnerabilities affecting Internet of Things and operational technology devices that Microsoft disclosed earlier this year. At the time, CISA published a list of vendors affected by the vulnerability; now BlackBerry products are on its list.
BlackBerry, long known for making smartphones, has in recent years become a provider of software for industrial machinery. Its BlackBerry QNX is used in embedded systems across a range of industries, including automotive, medical devices, heavy machinery, commercial vehicles, industrial controls, aerospace and defense, robotics, and rail systems.
In an advisory published today, BlackBerry says the vulnerability exists in the calloc() function of the C runtime library in affected versions of the BlackBerry QNX software development platform (SDP) version 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1 and earlier.
To exploit the vulnerability, an attacker must have control over the parameters to a calloc() function call, as well as the ability to control what memory is accessed after the allocation. They would also need network access, and, to be successful, the target devices would need to have a vulnerable service running and exposed.
Read the full CISA advisory and BlackBerry release for more details and mitigations.
About the Author(s)
You May Also Like
Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024Why Effective Asset Management is Critical to Enterprise Cybersecurity
May 21, 2024Finding Your Way on the Path to Zero Trust
May 22, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024