BlackBerry released an advisory explaining that its QNX Real Time Operating System which is used in medical devices, cars, factories and even the International Space Station can be affected by BadAlloc, which is a collection of vulnerabilities affecting multiple RTOSs and supporting libraries. BlackBerry recently boasted that the QNX Real Time Operating System is used in 200 million cars.
A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices. BlackBerry QNX RTOS is used in a wide range of products whose compromise could result in a malicious actor gaining control of highly sensitive systems, increasing risk to the Nation’s critical functions
An “integer overflow vulnerability affecting the calloc() function in the C runtime library of multiple BlackBerry QNX products.”For attackers to take action they need to already have “control over the parameters to a calloc() function call and the ability to control what memory is accessed after the allocation.”
Network access would allow an attacker to remotely exploit this vulnerability if the vulnerable product is running and the affected device is exposed to the internet. The vulnerability affects every BlackBerry program with a dependency on the C runtime library.
Manufacturers of products that incorporate vulnerable versions should contact BlackBerry to obtain the patch. Manufacturers of products who develop unique versions of RTOS software should contact BlackBerry to obtain the patch code
Some software updates for RTOS require removing devices or taking them to an off-site location for physical replacement of integrated memory.
BlackBerry said in its own release that they had not yet seen the vulnerability used. The users of the product ensure that “only ports and protocols used by the application using the RTOS are accessible, blocking all others.”
There are no workarounds for the vulnerability, but they noted that users can reduce the possibility of an attack “by enabling the capability for ASLR to randomize process segment addresses.“
BlackBerry said in June that the QNX royalty revenue backlog has increased to $490 million at the end of its first quarter of fiscal year 2022. The company boasted that it is used in millions of cars made by Aptiv, BMW, Bosch, Ford, GM, Honda, Mercedes-Benz, Toyota and Volkswagen.