'BadAlloc' Vuln Affects Devices Using Older BlackBerry QNX Products

BlackBerry has disclosed its QNX Real Time Operating System (RTOS) is affected by BadAlloc vulnerability CVE-2021-22156, which if exploited could allow an attacker to perform a denial-of-service or execute malicious code on target devices, the Cybersecurity and Infrastructure Security Agency (CISA) says in an advisory.

BadAlloc is a series of critical memory allocation vulnerabilities affecting Internet of Things and operational technology devices that Microsoft disclosed earlier this year. At the time, CISA published a list of vendors affected by the vulnerability; now BlackBerry products are on its list.

BlackBerry, long known for making smartphones, has in recent years become a provider of software for industrial machinery. Its BlackBerry QNX is used in embedded systems across a range of industries, including automotive, medical devices, heavy machinery, commercial vehicles, industrial controls, aerospace and defense, robotics, and rail systems.

In an advisory published today, BlackBerry says the vulnerability exists in the calloc() function of the C runtime library in affected versions of the BlackBerry QNX software development platform (SDP) version 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1 and earlier.

To exploit the vulnerability, an attacker must have control over the parameters to a calloc() function call, as well as the ability to control what memory is accessed after the allocation. They would also need network access, and, to be successful, the target devices would need to have a vulnerable service running and exposed.

Read the full CISA advisory and BlackBerry release for more details and mitigations.